CVE-1999-1337 is a medium-severity vulnerability affecting the FTP client component of Midnight Commander (mc) versions prior to 4.5.11. Midnight Commander is a text-based file manager commonly used on Unix-like systems. The vulnerability arises because the FTP client stores usernames and passwords for visited FTP sites in plaintext within a world-readable history file. This means that any local user on the same system can access this file and retrieve sensitive credentials without needing elevated privileges. The vulnerability impacts confidentiality, integrity, and availability to some extent: confidentiality is compromised due to plaintext credential exposure; integrity and availability could be affected if an attacker uses stolen credentials to modify or disrupt FTP-hosted files or services. The CVSS score is 4.6 (medium), reflecting that the attack vector is local (AV:L), with low attack complexity (AC:L), no authentication required (Au:N), and partial impact on confidentiality, integrity, and availability (C:P/I:P/A:P). There is no patch available for this vulnerability, and no known exploits have been reported in the wild. The issue is primarily a local privilege escalation risk via credential disclosure rather than a remote exploit. Given the age of the vulnerability (published in 1999) and the lack of patch, it is likely that modern versions of Midnight Commander have addressed this issue or that usage of vulnerable versions is limited. However, systems still running these older versions remain at risk if multiple users share the same environment.

For European organizations, the primary impact is the risk of local privilege escalation and credential compromise on multi-user systems where Midnight Commander is used. Organizations with shared Unix/Linux environments, such as universities, research institutions, or enterprises with multi-user servers, could be vulnerable if they run outdated versions of Midnight Commander. Exposure of FTP credentials can lead to unauthorized access to FTP servers, potentially resulting in data theft, unauthorized data modification, or disruption of services. While the vulnerability requires local access, insider threats or attackers who have gained limited access could leverage this to escalate privileges or move laterally within the network. The impact is more significant in environments where FTP credentials grant access to critical or sensitive data repositories. Given that FTP is an older protocol often replaced by more secure alternatives, the risk may be limited to legacy systems still in operation within European organizations.

To mitigate this vulnerability, European organizations should: 1) Upgrade Midnight Commander to version 4.5.11 or later, where this issue is resolved. If upgrading is not feasible, consider disabling or avoiding the use of the built-in FTP client in Midnight Commander. 2) Restrict file permissions on the history file to prevent world-readable access, ensuring only the owning user can read the file (e.g., chmod 600). 3) Transition from FTP to more secure file transfer protocols such as SFTP or FTPS, which provide encrypted credential transmission and storage. 4) Implement strict user access controls and monitoring on multi-user systems to detect unauthorized access attempts. 5) Educate users about the risks of storing credentials in plaintext and encourage the use of credential managers or environment variables with proper permissions. 6) Regularly audit systems for outdated software versions and insecure configurations to reduce exposure to legacy vulnerabilities.