I can only reproduce this from the My Computer zone, which already allows arbitrary command execution through the codeBase vulnerability - I don't see anything new in this, but feel free to correct me. Regards Thor Larholm Senior Security Researcher PivX Solutions, LLC Get our research, join our mailinglist - http://pivx.com/larholm/ -----Original Message----- From: Liu Die Yu [mailto:liudieyuinchina@yahoo.com.cn] Sent: Wednesday, November 05, 2003 2:32 AM To: bugtraq@securityfocus.com Subject: IE: double slash moves cache from INTERNET zone to MYCOMPUTER zone Snip http://www.securityfocus.com/archive/1/343474/2003-11-02/2003-11-08/0
