Unsafe file types must be prevented from being attached to InfoPath forms.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17764	DTOO160	SV-53355r1_rule		Medium

Description
Users can attach any type of file to forms except potentially unsafe files that might contain viruses, such as .bat or .exe files. For the full list of file types that InfoPath disallows by default, see "Security Details" in Insert a file attachment control on the Microsoft Office Online website. If unsafe file types are added to InfoPath forms, they might be used as a means of attacking the computer on which the form is opened. These unsafe file types may include active content, or may introduce other vulnerabilities that an attacker can exploit.

Description

Users can attach any type of file to forms except potentially unsafe files that might contain viruses, such as .bat or .exe files. For the full list of file types that InfoPath disallows by default, see "Security Details" in Insert a file attachment control on the Microsoft Office Online website. If unsafe file types are added to InfoPath forms, they might be used as a means of attacking the computer on which the form is opened. These unsafe file types may include active content, or may introduce other vulnerabilities that an attacker can exploit.

STIG	Date
Microsoft InfoPath 2013 STIG	2016-10-28

Details

Check Text ( None )
None

Fix Text (F-46282r1_fix)
Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security -> "Prevent users from allowing unsafe file types to be attached to forms" to "Enabled".