CVE-1999-1345 in Auto_FTP
Summary
by MITRE
Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/19/2026
The vulnerability identified in CVE-1999-1345 affects the Auto_FTP 0.2 software package and specifically targets the Auto_FTP.pl script which utilizes /tmp/ftp_tmp as a shared directory for file transfers. This represents a classic privilege escalation and information disclosure vulnerability that exploits insecure directory permissions to allow local users to manipulate the file transfer process. The flaw exists in the fundamental design of how temporary files are handled during FTP operations, creating an attack surface that can be exploited by users with minimal privileges.
The technical implementation of this vulnerability stems from the script's failure to properly secure the /tmp/ftp_tmp directory with appropriate permissions. When the Auto_FTP.pl script runs, it creates a shared directory at /tmp/ftp_tmp that is accessible to all local users. This directory serves as an intermediary location where files are temporarily stored during transfer operations. The insecure permissions allow any local user to both place files into this directory and to read files that are currently being transferred, creating a scenario where malicious users can either inject arbitrary content into the transfer process or intercept sensitive data.
From an operational impact perspective, this vulnerability enables local users to perform unauthorized file transfers to remote servers through the automated FTP process, essentially bypassing normal authentication and authorization mechanisms. Attackers can place malicious files in the shared directory, which will then be transferred to the remote server without proper verification or access controls. Additionally, the ability to view files during transfer operations creates a significant information disclosure risk, as sensitive data being transferred can be read by unauthorized local users. This vulnerability essentially transforms a controlled file transfer process into an open system where local users can manipulate both the source and destination of file transfers.
The security implications of this vulnerability align with CWE-732, which addresses incorrect permissions for critical resources, and represents a classic example of insufficient privilege separation in temporary file handling. The attack vector follows patterns consistent with the ATT&CK framework's privilege escalation techniques, specifically targeting local users to gain unauthorized access to network resources. The vulnerability demonstrates poor security hygiene in the software's design, as it fails to implement proper access controls and file permission management for temporary directories. Organizations using Auto_FTP 0.2 should immediately implement mitigations including restricting permissions on the /tmp/ftp_tmp directory to ensure only authorized processes can access it, and potentially implementing more secure temporary file handling mechanisms that prevent local users from manipulating the transfer process. The vulnerability also highlights the importance of following secure coding practices and proper privilege separation in automated file transfer systems.