CVE-2008-4493

Name of the Vulnerable Software and Affected Versions: Microsoft Digital Image 2006 Starter Edition

Description: The issue allows remote attackers to force the upload of arbitrary files by using the AddString and Post methods and a modified PostURL to construct an HTTP POST request. This is achieved through the Microsoft PicturePusher ActiveX control (PipPPush.DLL 7.00.0709). It is noted that this issue might only be exploitable in limited environments or non-default browser settings.

Recommendations: For Microsoft Digital Image 2006 Starter Edition, consider disabling the use of the Microsoft PicturePusher ActiveX control until a patch is available. Restrict access to the AddString and Post methods to minimize the risk of exploitation. Avoid using the PostURL parameter in the affected control to construct HTTP POST requests until the issue is resolved.