Title

Disable dynamic caching of the form template in InfoPath eMail forms. (Cat II impact)

Discussion

By default, InfoPath 2007 caches form templates when they are attached to a mail item that is recognized as an InfoPath e-mail form. When users fill out forms that open with a restricted security level, InfoPath uses the cached version of the mailed template, rather than any published version. To circumvent users filling out a published form, an attacker could e-mail an alternate version of the form, which would return the data to the sender as part of a phishing attack and could be used to gain access to confidential information.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable dynamic caching of the form template in InfoPath e-mail forms” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment Criteria: If the value CacheMailXSN is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable dynamic caching of the form template in InfoPath e-mail forms” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18804r1_rule

Vulnerability ID: V-17654

Group Title: DTOO169 - Disable dynamic caching / form template

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.