I find this message thread annoying because no one here actually
knows the details of the bug or how to exploit it, yet the subject
line hints otherwise. I give you, Edwin, great credit for all the
work you did in actually trying something before saying "just use
file upload and JavaScript", because it does not just work that way.
As history, I *found* a bug with JavaScript and file upload about
16 months ago in Netscape 2.01, just a few days after that release.
I did not release details of that bug until 2.02 was released.
However, I never got a $1000 "bounty" for that bug (although I did
for something earlier). If you've an old browser around (as this
was fixed around 3.0b2, I think), you can try it at
http://www.opengroup.org/~loverso/javascript/
and look for the entry dated March 21, 1996.
John