CVE-1999-1337 in Midnight Commander
Summary
by MITRE
FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/19/2026
The vulnerability identified as CVE-1999-1337 represents a critical security flaw in the Midnight Commander file manager application, specifically affecting versions prior to 4.5.11. This issue manifests in the FTP client component's improper handling of authentication credentials, creating a persistent security risk for systems utilizing this popular terminal-based file manager. The vulnerability stems from the application's design decision to store sensitive authentication information in a manner that exposes it to unauthorized access by local users, fundamentally undermining the security model of the system.
The technical implementation of this vulnerability involves the FTP client within Midnight Commander maintaining a history file that contains plaintext credentials for all visited sites. This history file is configured with world-readable permissions, meaning any local user on the system can access its contents without authentication. The flaw occurs because the application fails to implement proper access controls or encryption mechanisms for storing these credentials, directly violating secure coding practices and exposing sensitive authentication data to all users with read access to the file system. The plaintext storage approach makes the credentials immediately usable by any malicious user who gains access to the history file, regardless of their privileges or authentication status.
The operational impact of this vulnerability extends beyond simple credential exposure, as it enables privilege escalation and lateral movement within compromised systems. Local users who can read the world-readable history file gain immediate access to authentication credentials for various FTP servers, potentially allowing them to access sensitive data repositories, compromise additional systems, or conduct unauthorized operations. This vulnerability particularly affects environments where multiple users share a single system or where the Midnight Commander application is used in shared computing environments. The risk is amplified in scenarios where users connect to multiple FTP servers with different levels of access, as the compromise of one set of credentials could potentially lead to broader system compromise.
This vulnerability aligns with CWE-312, which specifically addresses the exposure of sensitive information through improper data handling, and represents a classic example of poor credential storage practices. The issue also maps to ATT&CK technique T1555.003, which covers credential access through the exploitation of stored credentials, highlighting the operational security implications for attackers who can leverage this weakness. Mitigation strategies should focus on implementing proper file access controls, encrypting sensitive data storage, and ensuring that applications do not store authentication credentials in plaintext formats. The most effective remediation involves updating to Midnight Commander version 4.5.11 or later, which addresses the insecure credential storage mechanism by implementing proper access controls and encryption for stored authentication information. Additionally, system administrators should conduct thorough audits of similar applications and implement security monitoring to detect unauthorized access to credential storage files, ensuring that all local users maintain appropriate access controls and that sensitive data remains protected through proper cryptographic practices.