Title

Control behavior when opening forms in the Intranet Security Zone - InfoPath (Cat II impact)

Discussion

When InfoPath solutions are opened locally, the location of the form is checked so that updates to the form can be downloaded. If a user saves a form locally from a location on the Local Intranet and then opens the same form from another location on the Local Intranet, the cache will be updated with the new location information. If the user then opens the first form from its saved location, there will be a mismatch between the locally saved form and the locally cached form. This situation would typically happen when developers move forms to a new location, but if there is no warning when the cached location is used it could be misused by an attacker attempting to redirect the forms to a new location. This type of attack is a form of beaconing. By default, if the location information in the cached form and the saved form do not match, then the form cannot be opened without prompting the user for consent.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> Security -> “Control behavior when opening forms in the Intranet security zone” will be set to “Enabled (Block)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors Criteria: If the value Intranet is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> Security -> “Control behavior when opening forms in the Intranet security zone” will be set to “Enabled (Block)”.

Additional Identifiers

Rule ID: SV-18695r1_rule

Vulnerability ID: V-17578

Group Title: DTOO162 - Forms opening behavior for Intranet Zone

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.