DTOO168 - InfoPath - Disabling sending form templates with the email forms must be configured.

Information

InfoPath allows users to attach form templates when sending e-mail forms. If users are able to open form templates included with e-mail forms, rather than using a cached version that is previously published, an attacker could send a malicious form template with the e-mail form in an attempt to gain access to sensitive information.
Note: The form template is only opened directly if the form opens with a restricted security level. Otherwise the attachment is actually a link to the published location.

Solution

Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2010 -> InfoPath e-mail forms 'Disable sending form template with e-mail forms' to 'Enabled'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_InfoPath_2010_V1R12_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4), CAT|II, CCI|CCI-001170, Rule-ID|SV-33639r1_rule, STIG-ID|DTOO168, Vuln-ID|V-17667

Plugin: Windows

Control ID: d2c371f963bb216c89165af50e9c0093fb2f6605a651611c8d2adc44d9b290a4