Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17668 | DTOO170 - InfoPath | SV-18832r1_rule | ECSC-1 | Medium |
Description |
---|
An attacker might target InfoPath 2003 forms to try and compromise an organization's security. InfoPath 2003 did not write a publish location for e-mail forms, which meant that forms could open without a corresponding published location. By default, InfoPath 2007 sends all forms via e-mail using InfoPath e-mail forms integration, including forms that were created using the InfoPath 2003 file format. |
STIG | Date |
---|---|
Microsoft InfoPath 2007 | 2014-01-07 |
Check Text ( C-18939r1_chk ) |
---|
The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable sending InfoPath 2003 Forms as e-mail forms” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath Criteria: If the value DisableInfoPath2003EmailForms is REG_DWORD = 1, this is not a finding. |
Fix Text (F-17566r1_fix) |
---|
The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable sending InfoPath 2003 Forms as e-mail forms” will be set to “Enabled”. |