_OTHER_ Holes:

1) This will reveal the path to PHP directory and other...maybe
interesting to someone, I didn't really care but decided to include
it. The problem is in options.php.

http://<VULNERABLE
SITE>.net/webmail/src/options.php?optpage=<script>alert('boop!')</script>

it returns the following on the page for the server I tested:

Fatal error: Failed opening required ''
(include_path='.:/php/includes:/usr/share/php') in
/var/www/squirrelmail/src/options.php on line 172

src/options.php

@@ -116,8 +116,10 @@ function print_optionpages_row($leftopt, $rightopt = false) {
 /* ---------------------------- main ---------------------------- */
 
 /* Make sure we have an Option Page set. Default to main. */
-if (!isset($optpage)) {
-    $optpage = 'main';
+if ( !isset($optpage) || $optpage == '' ) {
+    $optpage = SMOPT_PAGE_MAIN;
+} else {
+    $optpage = strip_tags( $optpage );
 }
 
 /* Make sure we have an Option Mode set. Default to display. */
@@ -136,7 +138,8 @@ $optpage_loader = '';
 
 /* Set the load information for each page. */
 switch ($optpage) {
-    case SMOPT_PAGE_MAIN: break;
+    case SMOPT_PAGE_MAIN: 
+        break;
     case SMOPT_PAGE_PERSONAL:
         $optpage_name     = _("Personal Information");
         $optpage_file     = SM_PATH . 'include/options/personal.php';
@@ -174,8 +177,11 @@ switch ($optpage) {
 /*** Second, load the option information for this page. ***/
 /**********************************************************/
 
-if ($optpage != SMOPT_PAGE_MAIN) {
+if ( !is_file( $optpage_file ) ) {
+    $optpage = SMOPT_PAGE_MAIN;
+} else if ($optpage != SMOPT_PAGE_MAIN ) {
     /* Include the file for this optionpage. */
+    
     require_once($optpage_file);
 
     /* Assemble the data for this option page. */