No MS Security Issues In December? Think Again!:
"Mozilla not immune.

…there's is a particular problem in Internet Explorer which allows a malicious coder to make it appear as if the user is viewing a different Web site than they actually are viewing. The bug involved the use of a feature of Uniform Resource Identifiers (browser addresses) that is more often abused than used legitimately used: the '@' character.

When an '@' is part of the domain in a Web address, the browser treats the string to the left of it as a user name to fill in any userid prompts, and everything on the right side as the domain name. This is perfectly legitimate syntax. Click here for the actual standard document about URIs.

Malicious coders, such as phishers, often will use this technique to obscure the actual address of the site they send you to. For example, they might send you a message that appears to be from Paypal and include a link that looks something like this:

http://www.paypal.com@64.225.264.128/accounts/validate.htm (The IP address I used is illegal for the same reason they use 555 phone numbers on TV shows.)
Notice, the numeric string to the right of the '@' mark. This link will not take you to www.paypal.com, but to 64.225.264.128. But most unsophisticated users won't notice the difference. Still, all of this monkey business is perfectly legal (if immoral) under the URI standard.

The latest bug adds a twist: If you put ASCII 00 and 01 characters (designated as %00%01 in the spec.) just prior to the '@' character, then Internet Explorer won't display the rest of the URL when the user views the page. In Javascript you must use just the %01 character and also decode the string with the unescape() function..

There are many variations of this particular scheme, and surprisingly some of them partially work on Mozilla as well.

The anchor link version of this vulnerability also results in the partial, incorrect address being displayed in the status line as the user hovers the mouse over the link. Versions of Mozilla I tested (Versions 1.0 and 1.5) also showed the partial address in the status line, although they displayed the full address in the address bar. Just for fun, I tried Netscape 4.7 as well. Despite being one of worst programs ever written, it handled this situation properly, displaying the full URL in the address and status lines. "

http://www.eweek.com/print_article/0,3048,a=114456,00.asp