A new vulnerability has been discovered in SquirrelMail. The file src/options_identities.php contained some very bad, legacy code: an extract($_POST) was done, effectively allowing a malicious attacker to change session variables and even other people's preferences. It must be noted that for this to happen you need to trick someone into using an external form to post the information which is not trivial.
This issue also affects RHEL3
Created attachment 116290 [details] Proposed patch from upstream
Now public at http://www.squirrelmail.org/security/issue/2005-07-13 removing embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-595.html