CVE-1999-1475 in ProFTPDinfo

Summary

by MITRE

ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/19/2026

This vulnerability exists in ProFTPd version 1.2 when compiled with the mod_sqlpw module, creating a critical security flaw that exposes user credentials through improper logging practices. The vulnerability stems from the module's design to store password information in the wtmp log file, which is a standard system file used to record user login and logout activities. When the mod_sqlpw module processes user authentication, it inadvertently writes password data into this log file, creating an exploitable condition that undermines the fundamental security principles of credential protection.

The technical implementation of this flaw involves the mod_sqlpw module's interaction with the system's authentication mechanisms and logging infrastructure. When users authenticate through ProFTPd, the module records not only session information but also password data in the wtmp file format, which is typically accessed by system utilities like the last command. This design flaw violates the principle of least privilege and creates a direct pathway for local attackers to obtain sensitive authentication credentials. The vulnerability operates at the system-level logging layer, where the module's improper handling of password information creates a persistent exposure that can be exploited by any local user with access to the wtmp file or related system commands.

The operational impact of this vulnerability is severe and far-reaching, as it enables local privilege escalation and credential theft without requiring network access or complex exploitation techniques. Attackers can simply execute the last command or similar utilities that read the wtmp file to extract password information, making this a particularly dangerous flaw in environments where local access is possible. The vulnerability affects the confidentiality and integrity of the authentication system, potentially allowing attackers to gain unauthorized access to multiple accounts and escalate their privileges within the system. This flaw represents a critical failure in the principle of secure credential handling and demonstrates how improper logging practices can create significant security risks.

Organizations affected by this vulnerability should immediately implement mitigations including disabling the mod_sqlpw module when it is not essential for operations, implementing proper file access controls on wtmp files, and ensuring that local system access is restricted to authorized personnel only. The recommended solution involves either removing the problematic module from the ProFTPd installation or configuring the system to prevent local users from accessing the wtmp file through the last command or similar utilities. Additionally, system administrators should consider implementing centralized logging solutions that properly separate authentication data from session logs, and should conduct regular security audits to identify similar improper logging practices within their infrastructure. This vulnerability aligns with CWE-312 (Cleartext Storage of Sensitive Information) and represents a direct violation of security best practices outlined in various compliance frameworks including pci dss and iso 27001 standards. The ATT&CK framework categorizes this as a privilege escalation technique through credential access, specifically leveraging local system utilities to obtain sensitive information.

Sources

Want to know what is going to be exploited?

We predict KEV entries!