Unsafe file types must be prevented from being attached to InfoPath forms.

From Microsoft InfoPath 2013 STIG

Part of DTOO160 - Unsafe File Attachments in InfoPath

Associated with: CCI-001170

SV-53355r1_rule Unsafe file types must be prevented from being attached to InfoPath forms.

Vulnerability discussion

Users can attach any type of file to forms except potentially unsafe files that might contain viruses, such as .bat or .exe files. For the full list of file types that InfoPath disallows by default, see "Security Details" in Insert a file attachment control on the Microsoft Office Online website.If unsafe file types are added to InfoPath forms, they might be used as a means of attacking the computer on which the form is opened. These unsafe file types may include active content, or may introduce other vulnerabilities that an attacker can exploit.

Check content

The policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security -> "Prevent users from allowing unsafe file types to be attached to forms" must be set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\InfoPath\security Criteria: If the value DisallowAttachmentCustomization is REG_DWORD = 1, this is not a finding.

Fix text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security -> "Prevent users from allowing unsafe file types to be attached to forms" to "Enabled".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer