Andy, you're very confused.

Look. You are the one making the claim that you can exploit this. I call bullshit. So either prove it, or drop it. Accusing me of being "confused" does not provide evidence for your claim.

I'm not sure where I appeared to contradict myself in my earlier posts, so I'm unsure how to clarify this for you. Best I can do is this:

Here is a link to a variation of the "image" file which is the subject of this post: https://dl.dropbox.com/u/131649/squirrel.html

I have embedded harmless (-- honest! --) script in the file to demonstrate that your browser will execute the script in the context of the site where the file is hosted.

So, click the link. (Again I promise that no harm will come to your computer.) Now imagine that dl.dropbox.com is, instead, some hypothetical site where users are expected to upload images, but not HTML documents containing arbitrary script, and the security implications should be fairly obvious.