Check: DTOO160 - InfoPath
Microsoft InfoPath 2010 STIG:
DTOO160 - InfoPath
(in versions v1 r11 through v1 r10)
Title
Unsafe file types must be prevented from being attached to InfoPath forms. (Cat II impact)
Discussion
Users can attach any type of file to forms except potentially unsafe files that might contain viruses, such as .bat or .exe files. For the full list of file types that InfoPath disallows by default, see "Security Details" in Insert a file attachment control on the Microsoft Office Online Web site. If unsafe file types are added to InfoPath forms, they might be used as a means of attacking the computer on which the form is opened. These unsafe file types may include active content, or may introduce other vulnerabilities that an attacker can exploit.
Check Content
The policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2010 -> Security -> “Prevent users from allowing unsafe file types to be attached to forms” must be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\infopath\security Criteria: If the value DisallowAttachmentCustomization is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2010 -> Security -> “Prevent users from allowing unsafe file types to be attached to forms” to “Enabled”.
Additional Identifiers
Rule ID: SV-33668r1_rule
Vulnerability ID: V-17764
Group Title: DTOO160 - Unsafe File Attachments in InfoPath
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001170 |
The information system prevents the automatic execution of mobile code in organization-defined software applications. |
Controls
Number | Title |
---|---|
SC-18 (4) |
Prevent Automatic Execution |