Possible XSS in MagicHTML (IE only) http://www.squirrelmail.org/security/issue/2006-02-10 (Text taken from the above URL) The MagicHTML filter for incoming HTML email did not correctly disregard comments (/* */) inserted in style sheets ("u/* */rl"). It also accepted "u\rl" as "url" in styles. These allow a malicious user to break the privacy of the user by having them request an item from a remote site when reading the mail. This happens only in browsers that parse this invalid style, only one known is Internet Explorer. source=secunia,reported=20060222,public=20060210
From User-Agent: XML-RPC squirrelmail-1.4.6-1.fc4 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
Not sure why this wasn't closed earlier.