UCF STIG Viewer Logo

Prevent unsafe file types to be attached to InfoPath forms.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17764 DTOO160 - InfoPath SV-18966r1_rule ECSC-1 Medium
Description
By default, users can attach any type of file to forms except potentially unsafe files that might contain viruses, such as .bat or .exe files. For the full list of file types that InfoPath 2007 disallows by default, see "Security Details" in Insert a file attachment control on the Microsoft Office Online Web site. If unsafe file types are added to InfoPath forms, they might be used as a means of attacking the computer on which the form is opened. These unsafe file types may include active content, or may introduce other vulnerabilities that an attacker can exploit.
STIG Date
Microsoft InfoPath 2007 2015-10-02

Details

Check Text ( C-19027r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> Security -> “Prevent users from allowing unsafe file types to be attached to forms” will be set to “Enabled”.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Criteria: If the value DisallowAttachmentCustomization is REG_DWORD = 1, this is not a finding.
Fix Text (F-17663r1_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> Security -> “Prevent users from allowing unsafe file types to be attached to forms” will be set to “Enabled”.