writes "Internet Explorer 7 and Firefox 2.0 share a logic flaw. The issue is actually more severe, as the two versions of the Microsoft and Mozilla browsers are not the only ones affected. The vulnerability impacts Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 7, and Firefox 188.8.131.52.
"In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, ".value" parameter cannot be set or changed, and any changes to .type reset the contents of the field," said Michal Zalewski, the person that discovered the IE7 flaw.
There are Proof of concepts for both IE7 and firefox"