CVE-1999-1475 is a vulnerability found in ProFTPd version 1.2 when compiled with the mod_sqlpw module. ProFTPd is a widely used FTP server software. The mod_sqlpw module is designed to authenticate users against a SQL database. The vulnerability arises because the module records user passwords in plaintext within the wtmp log file. The wtmp file is a standard Unix log file that tracks user login sessions and is typically accessible to local users. Because passwords are stored in plaintext in this log, any local user with read access to the wtmp file can retrieve other users' FTP passwords by examining the log entries, for example, by using the 'last' command that reads wtmp. This exposure allows an attacker to escalate privileges by using the stolen credentials to gain unauthorized access to the FTP server or other systems where the same credentials might be reused. The vulnerability has a CVSS score of 4.6 (medium severity), with an attack vector classified as local (AV:L), low attack complexity (AC:L), no authentication required (Au:N), and impacts on confidentiality, integrity, and availability (C:P/I:P/A:P). There is no patch available for this vulnerability, and no known exploits have been reported in the wild. However, the risk remains for environments still running this outdated version of ProFTPd with the mod_sqlpw module enabled. The vulnerability is primarily a local privilege escalation and credential disclosure issue due to improper logging practices.

For European organizations, the impact of this vulnerability depends largely on whether they operate legacy systems running ProFTPd 1.2 compiled with mod_sqlpw. If such systems exist, local users or attackers who have gained limited access could extract FTP user passwords from the wtmp logs, leading to unauthorized access to FTP services. This could result in data breaches, unauthorized data modification, or disruption of services hosted on the FTP server. Given that FTP is often used for transferring sensitive files, exposure of credentials could compromise confidentiality and integrity of critical data. Additionally, if credentials are reused across other systems, the risk extends beyond the FTP server itself. Although the vulnerability requires local access, insider threats or attackers who have already penetrated the network perimeter could exploit it to escalate privileges. European organizations with strict data protection regulations such as GDPR could face compliance issues if sensitive data is exposed due to this vulnerability. The absence of a patch means organizations must rely on compensating controls or upgrades to mitigate risk.

Since no patch is available for this vulnerability, European organizations should consider the following specific mitigation steps: 1) Upgrade ProFTPd to a more recent, supported version that does not exhibit this vulnerability and avoid using the mod_sqlpw module if possible. 2) Restrict local access permissions to the wtmp log file to the minimum necessary users, ensuring that only trusted administrators can read it. 3) Implement strict access controls and monitoring on systems running ProFTPd to detect unauthorized local access attempts. 4) Consider disabling or replacing the mod_sqlpw module with alternative authentication mechanisms that do not log plaintext passwords. 5) Conduct audits of FTP server configurations and logs to identify any exposure of credentials. 6) Educate system administrators and users about the risks of password reuse and enforce strong, unique passwords. 7) If upgrading is not immediately feasible, isolate affected FTP servers within secure network segments to limit local user access. 8) Employ host-based intrusion detection systems to alert on suspicious activities related to wtmp file access or FTP authentication anomalies.