Mozilla before 1.6 does not display the entire URL in the status bar when a link contains %00, which could allow remote attackers to trick users into clicking on unknown or untrusted sites and facilitate phishing attacks.