It was found that SquirrelMail webmail client did not properly handle generation of a particular web page HTML Header in cases, when entire application was loaded in separated HTML frame, potentially overloading other HTML elements on top of SquirrelMail's user interface. A remote attacker could use this flaw to obtain access to sensitive user data (passwords for example).
Relevant upstream patch:
This issue affects the versions of the squirrelmail package, as shipped with
Red Hat Enterprise Linux 4 and 5.
This issue affects the version of the squirrelmail package, as present within
EPEL-6 repository. Please schedule an update.
This issue affects the versions of the squirrelmail package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Created squirrelmail tracking bugs for this issue
Affects: epel-6 [bug 720696]
Affects: fedora-all [bug 720697]
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2012:0103 https://rhn.redhat.com/errata/RHSA-2012-0103.html