Disable sending the form template with the eMail form in InfoPath.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17667	DTOO168 - InfoPath	SV-18830r1_rule	ECSC-1	Medium

Description
By default, InfoPath 2007 allows users to attach form templates when sending e-mail forms. If users are able to open form templates included with e-mail forms, rather than using a cached version that is previously published, an attacker could send a malicious form template with the e-mail form in an attempt to gain access to sensitive information. Note The form template is only opened directly if the form opens with a restricted security level. Otherwise the attachment is actually a link to the published location.

Description

By default, InfoPath 2007 allows users to attach form templates when sending e-mail forms. If users are able to open form templates included with e-mail forms, rather than using a cached version that is previously published, an attacker could send a malicious form template with the e-mail form in an attempt to gain access to sensitive information. Note The form template is only opened directly if the form opens with a restricted security level. Otherwise the attachment is actually a link to the published location.

STIG	Date
Microsoft InfoPath 2007	2014-01-07

Details

Check Text ( C-18938r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable sending form template with e-mail forms” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment Criteria: If the value MailXSNwithXML is REG_DWORD = 0, this is not a finding.

Check Text ( C-18938r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable sending form template with e-mail forms” will be set to “Enabled”.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

Criteria: If the value MailXSNwithXML is REG_DWORD = 0, this is not a finding.

Fix Text (F-17565r1_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable sending form template with e-mail forms” will be set to “Enabled”.