--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/czech.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/czech.html@@ -784,9 +784,9 @@ str_banip_tip = "Dočasný zákaz IP", left_graphs = "Grafy", str_online_sessions = "Online spojení",-str_last_5min = "Posledních pět minut",-str_last_5hour = "Posledních pět hodin",-str_last_10day = "Posledních deset dnů",+str_last_5min = "Posledních 6 minut",+str_last_5hour = "Posledních 6 hodin",+str_last_10day = "Posledních 15 dnů", str_password_strength = "Heslo síla", title_windowsauth = "Windows autentifikace",@@ -999,6 +999,7 @@ str_ldap_timeout = "Vypršel časový limit LDAP", str_real_owner_group = "Zobrazit skutečného vlastníka/skupinu ve výpisu souborů (Linux/Mac)", str_no_renegotiation = "Zakázat opětovné vyjednávání SSL/TLS iniciované klientem",+str_anonymous_weblink = "Vždy povolit WebLink bez ohledu na stav uživatele (např. zakázán).", calendar_months = "'Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec'",

After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be either text label updates or feature additions rather than security patches. Here's the analysis:

1. Vulnerability Existed: no
   Text Label Updates [File] [Lines 784-786]
   [Old Code]
   str_last_5min = "Posledních pět minut",
   str_last_5hour = "Posledních pět hodin",
   str_last_10day = "Posledních deset dnů",
   [Fixed Code]
   str_last_5min = "Posledních 6 minut",
   str_last_5hour = "Posledních 6 hodin",
   str_last_10day = "Posledních 15 dnů",

2. Vulnerability Existed: no
   Feature Addition [File] [Line 999]
   [Old Code]
   (no corresponding line)
   [Fixed Code]
   str_anonymous_weblink = "Vždy povolit WebLink bez ohledu na stav uživatele (např. zakázán).",

The changes are:
1. Adjusting time period labels in statistics/display (no security impact)
2. Adding a new configuration option for WebLink behavior (a feature addition rather than a security fix)

No known vulnerability names apply to these changes, and there's no evidence of security-related fixes in this diff.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/japanese.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/japanese.html@@ -50,7 +50,7 @@ rmdir_tip = "（すべてのサブディレクトリとファイルが削除します！）", create_title = "新規フォルダ", create_filename = "フォルダ名",-create_submit = " &nbsp;&nbsp;はい &nbsp;&nbsp;",+create_submit = " はい ", create_cancel = "閉じる", goto_title = "ディレクトリの移動", goto_path = "ディレクトリパス",@@ -171,7 +171,7 @@ str_searchin = "検索のディレクトリ", str_searchfor = "検索の内容", str_searchfiles = "サイトでファイルを検索する",-str_search_tip = "検索用のキーワードを入力してください!",+str_search_tip = "検索するファイル名を入力してください", str_searching = "検索中...", str_searchfor_tip = "<b>例えば:</b> faq.txt, *.mp3",@@ -253,7 +253,7 @@ download_extension = "ブラウザ拡張機能", download_single_file = "単一のファイルをダウンロードするには、最初にファイル名をクリックしてファイルを選択する必要があります。", download_multiple_files = "複数のファイル/フォルダをダウンロードするには、Google Chrome拡張機能「Wing Download Manager」を使用できます、ブラウザで拡張機能のアイコンをクリックするだけです。<br><br>この拡張機能をまだインストールしていない場合は、Chromeウェブストアからダウンロードしてください: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "複数のファイル/フォルダをダウンロードするには、Firefox拡張機能「Wing Download Manager」を使用できます、ブラウザで拡張機能のアイコンをクリックするだけです。<br><br>この拡張機能をまだインストールしていない場合は、Firefoxウェブストアからダウンロードしてください: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "複数のファイル/フォルダをダウンロードするには、Firefox拡張機能「Wing Download Manager」を使用できます、ブラウザで拡張機能のアイコンをクリックするだけです。<br><br>この拡張機能をまだインストールしていない場合は、Firefoxウェブストアからダウンロードしてください: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "二要素認証（TOTP）が必要", str_verify = "確認",@@ -271,6 +271,10 @@ edit_office_files = "Microsoft Word、Excel、および PowerPoint ファイルの表示/編集には、Google Chrome拡張機能「Office Editing for Docs, Sheets & Slides」を使用できます。<br><br>この拡張機能をまだインストールしていない場合は、Chromeウェブストアからダウンロードしてください: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "ビデオプレビュー", scan_qrcode = "QRコードをスキャンまたはクリックしてダウンロードしてください",+str_theme_label = "テーマ:",+str_theme_modern = "モダン",+str_theme_classic = "クラシック",+str_copied = "コピー済み", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "エラー：別の操作が保留中です。後で試してください" RESULT_STR[-11] = "エラー：権限なし, サブフォルダを作成できません" RESULT_STR[1] = "操作成功！"+RESULT_STR[0] = "操作成功！" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "登録失敗：ユーザー名とパスワードが一致しない"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "登録失敗：Windows Authentication cannot work when Windows Guest account enabled" LOGINERROR_STR[-15] = "登録失敗: exceeded the max user accounts which current version allows" LOGINERROR_STR[1] = "登録に成功しました！"+LOGINERROR_STR[0] = "登録に成功しました！" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "パスワードの変更に失敗：サーバにパスワードの変更を許さない"

Here is the analysis of the provided code diff for security fixes:

1. Vulnerability Existed: not sure  
   [Potential XSS via HTML injection] [webclient/language/japanese.html] [Lines 253, 271]  
   [Old Code]  
   Contains multiple HTML anchor tags with `target='_blank'` attributes  
   [Fixed Code]  
   Still contains HTML anchor tags with `target='_blank'` attributes (no visible security fix)  
   Note: While not a direct fix, HTML injection/XSS could potentially be a concern when rendering unescaped HTML content

2. Vulnerability Existed: not sure  
   [Broken Link/Untrusted Redirect] [webclient/language/japanese.html] [Lines 253]  
   [Old Code]  
   `<a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'>`  
   [Fixed Code]  
   `<a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'>`  
   Note: The URL was updated, but it's unclear if this was a security fix or just a link update

3. Vulnerability Existed: no  
   [No security vulnerability found] [webclient/language/japanese.html] [Lines 50, 171]  
   [Old Code]  
   UI text changes (non-security related)  
   [Fixed Code]  
   UI text changes (non-security related)

4. Vulnerability Existed: no  
   [No security vulnerability found] [webclient/language/japanese.html] [Lines 286-309]  
   [Old Code]  
   Added success messages for result code 0 (non-security related)  
   [Fixed Code]  
   Added success messages for result code 0 (non-security related)

The diff appears to contain mostly UI text changes and link updates rather than clear security fixes. The HTML content changes don't show obvious security improvements, though the Firefox addon link was updated to a new version. No clear vulnerabilities were fixed in this diff.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/version.txt+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/version.txt@@ -1,4 +1,38 @@-Wing FTP Server v7.4.0              Released: 13/Dec/2024+Wing FTP Server v7.4.4              Released: 14/May/2025+--------------------------------------------------------------+Fixed a security bug - Fixed a possible remote code execution vulnerability with logged-in session as Root/SYSTEM.+Fixed a security bug - Full path disclosure through an overlong UID string of a logged-in session.+Improvement - Set a max length limitation of the user/password in the login page.+Improvement - Updated libssh to the latest version.+Improvement - Updated the browser extension "Wing Download Manager".+++Wing FTP Server v7.4.3              Released: 26/Mar/2025+--------------------------------------------------------------+Fixed a security bug - Link injection that can be used to steal the clear-text password of a weblink.+Fixed a bug - There is a certain probability that the timestamp (with milliseconds) in domain logs might be a bit earlier. +Fixed a bug - When a domain is closed and WingFTP service is restarted twice, then all the domain listeners will disappear.+Fixed a bug - Data tables won't be initialized successfully when using unixODBC with PostgreSQL under the Linux system.+Improvement - Now you cannot add domain listeners when the domain is closed.+++Wing FTP Server v7.4.2              Released: 26/Feb/2025+--------------------------------------------------------------+Fixed a bug - User can't copy or move a folder in the web client when existing file access rules.+Improvement - Non-logged-in FTP/SFTP connections won't be counted in the total online sessions.+Improvement - When testing the LDAP server connection, now it will popup the error details.+Improvement - When closing file uploader in web client, it won't reload the web page again.+++Wing FTP Server v7.4.1              Released: 16/Jan/2025+--------------------------------------------------------------+Fixed a bug - The WingFTP service will crash when using unixODBC under the Linux system.+Fixed a bug - Regardless of whether there is list permission, the file list can be always displayed in the extension "Wing Download Manager".+Improvement - Added a domain option "Always allow existing WebLink regardless of user status (e.g. disabled)".+Improvement - Improved the display for the long virtual folder name under user/group settings.+++Wing FTP Server v7.4.0              Released: 13/Dec/2024 -------------------------------------------------------------- Improvement - Now admin can select user accounts (belong to the group) in the Add/Modify Group interface. Improvement - Improved the malformed audit database issue (SQLite db file "audit_db").

Here's the analysis of the provided code diff for security fixes:

1. Vulnerability Existed: yes  
   Remote Code Execution Vulnerability [version.txt] [Lines: 2-3]  
   Old Code: Wing FTP Server v7.4.0  
   Fixed Code: Fixed a security bug - Fixed a possible remote code execution vulnerability with logged-in session as Root/SYSTEM.  

2. Vulnerability Existed: yes  
   Full Path Disclosure Vulnerability [version.txt] [Lines: 2-3]  
   Old Code: Wing FTP Server v7.4.0  
   Fixed Code: Fixed a security bug - Full path disclosure through an overlong UID string of a logged-in session.  

3. Vulnerability Existed: yes  
   Link Injection Vulnerability [version.txt] [Lines: 10-11]  
   Old Code: Wing FTP Server v7.4.0  
   Fixed Code: Fixed a security bug - Link injection that can be used to steal the clear-text password of a weblink.  

4. Vulnerability Existed: not sure  
   Potential Information Disclosure Vulnerability [version.txt] [Lines: 2-3]  
   Old Code: Wing FTP Server v7.4.0  
   Fixed Code: Improvement - Set a max length limitation of the user/password in the login page.  

Note: The version.txt file shows changelog information rather than actual code changes, but it clearly documents security vulnerabilities that were fixed in subsequent versions. The first three entries are confirmed vulnerabilities while the fourth item might indicate a potential information disclosure vulnerability through overly long credentials, though this isn't explicitly stated as a security fix.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_set_general.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_set_general.html@@ -14,6 +14,7 @@ 	local enable_weblink = _POST["enable_weblink"] 	local show_subfolder = _POST["show_subfolder"] 	local keep_old_weblink = _POST["keep_old_weblink"]+	local anonymous_weblink = _POST["anonymous_weblink"] 	local uplink_overwrite = _POST["uplink_overwrite"] 	local weblink_domain = _POST["weblink_domain"] 	local enable_https_redirect = _POST["enable_https_redirect"]@@ -121,6 +122,7 @@ 	c_SetOptionInt(domain,DOPTION_ENABLE_WEBLINK_INT,enable_weblink) 	c_SetOptionInt(domain,DOPTION_ENABLE_WEBLINK_SUBFOLDER,show_subfolder) 	c_SetOptionInt(domain,DOPTION_KEEP_OLD_WEBLINK,keep_old_weblink)+	c_SetOptionInt(domain,DOPTION_ANONYMOUS_WEBLINK,anonymous_weblink) 	c_SetOptionInt(domain,DOPTION_UPLINK_OVERWRITE,uplink_overwrite) 	c_SetOptionStr(domain,DOPTION_WEBLINK_URL,weblink_domain) 	c_SetOptionInt(domain,DOPTION_ENABLE_HTTPS_REDIRECT,enable_https_redirect)

Here's the analysis of the provided code diff:

1. Vulnerability Existed: not sure  
   [Potential Missing Input Validation] [webadmin/admin_set_general.html] [Lines 14, 122]  
   [Old Code]  
   No handling of anonymous_weblink parameter  
   [Fixed Code]  
   Added anonymous_weblink parameter handling  

   Note: While this is an addition of functionality rather than a direct security fix, the lack of input validation for the new anonymous_weblink parameter could potentially be a security concern if the value is used without proper sanitization.

2. Vulnerability Existed: not sure  
   [Potential Authorization Bypass] [webadmin/admin_set_general.html] [Lines 14, 122]  
   [Old Code]  
   No anonymous weblink functionality  
   [Fixed Code]  
   Added anonymous_weblink functionality  

   Note: The addition of anonymous weblink functionality could potentially introduce authorization bypass risks if not properly implemented, though we can't determine the complete security implications from just this diff.

The diff shows the addition of anonymous weblink functionality, but without seeing the complete implementation and context, we can't definitively identify specific vulnerabilities that were fixed. The changes appear to be feature additions rather than direct security fixes.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/romanian.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/romanian.html@@ -784,9 +784,9 @@ str_banip_tip = "Ban IP temporar", left_graphs = "Grafice", str_online_sessions = "Sesiuni online",-str_last_5min = "Ultimele 5 minute",-str_last_5hour = "Ultimele 5 ore",-str_last_10day = "Ultimele 10 zile",+str_last_5min = "Ultimele 6 minute",+str_last_5hour = "Ultimele 6 ore",+str_last_10day = "Ultimele 15 zile", str_password_strength = "Securitate", title_windowsauth = "Autentificare Windows",@@ -999,6 +999,7 @@ str_ldap_timeout = "Timeout LDAP", str_real_owner_group = "Afișați proprietarul/grupul real în lista de fișiere (Linux/Mac)", str_no_renegotiation = "Nu permiteți renegocierea SSL/TLS inițiată de client",+str_anonymous_weblink = "Permiteți întotdeauna WebLink, indiferent de starea utilizatorului (de exemplu, dezactivat).", calendar_months = "'Ian','Feb','Mar','Apr','Mai','Iun','Iul','Aug','Sep','Oct','Noi','Dec'",

Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be either language string updates or minor functional adjustments. Here's the analysis:

1. Vulnerability Existed: no
   Time Display Adjustments [File] [Lines 784-786]
   [Old Code]
   str_last_5min = "Ultimele 5 minute",
   str_last_5hour = "Ultimele 5 ore",
   str_last_10day = "Ultimele 10 zile",
   [Fixed Code]
   str_last_5min = "Ultimele 6 minute",
   str_last_5hour = "Ultimele 6 ore",
   str_last_10day = "Ultimele 15 zile",

2. Vulnerability Existed: not sure
   WebLink Permission Addition [File] [Line 999]
   [Old Code]
   (no corresponding line)
   [Fixed Code]
   str_anonymous_weblink = "Permiteți întotdeauna WebLink, indiferent de starea utilizatorului (de exemplu, dezactivat).",

Note: The second change adds a new configuration option for WebLink access. While this isn't clearly a security fix, it could potentially relate to access control. Without more context about how this feature is implemented, I can't determine if this fixes a vulnerability or just adds functionality.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_lua_script.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_lua_script.html@@ -73,7 +73,7 @@ 				end 			else 				assert(loadstring(newcmd))()-				c_AddAdminLog("administrator '".._SESSION["admin"].."'(IP:".._REMOTE_IP..") executed the following Lua scripts via console: "..command,ADMIN_LOG_OK)+				c_AddAdminLog("administrator '".._SESSION["admin"].."' (IP:".._REMOTE_IP..") executed the following Lua scripts via console: "..command,ADMIN_LOG_OK) 			end 		end 	end

Analyzing the provided code diff, here's the security assessment:

1. Vulnerability Existed: not sure
    [Potential Log Injection] [webadmin/admin_lua_script.html] [Lines 73]
    [Old Code]
    c_AddAdminLog("administrator '".._SESSION["admin"].."'(IP:".._REMOTE_IP..") executed the following Lua scripts via console: "..command,ADMIN_LOG_OK)
    [Fixed Code]
    c_AddAdminLog("administrator '".._SESSION["admin"].."' (IP:".._REMOTE_IP..") executed the following Lua scripts via console: "..command,ADMIN_LOG_OK)

Notes:
- The change appears to be mostly cosmetic (adding a space after the admin name)
- However, there might be a potential log injection concern if any of the variables (_SESSION["admin"], _REMOTE_IP, or command) contain untrusted input
- The fix doesn't address any obvious security vulnerability, but the context suggests logging of admin actions which should be properly sanitized
- The actual vulnerability would depend on how these variables are populated and whether they're properly sanitized before being included in the log message

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_addgroup_form2.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_addgroup_form2.html@@ -188,6 +188,13 @@ 	color:#49658F } .emptyTag { width:10px;}++.longtd+{+	padding-right: 2px;+	word-wrap: break-word;+	word-break: break-all;+} </style> <script language="javascript" src="include/common.js"></script>@@ -436,7 +443,7 @@ 		rightmask += " "; 		if(directories[i].zipfile) rightmask += "Z"; 		if(directories[i].unzipfile) rightmask += "U";-		htmltext += "<tr class='listtr01' onmouseup='do_list_click(this);'><td width='50%' f_id='"+i+"'>"+directories[i].dir+"</td><td width='25%'>"+directories[i].alias+"</td><td width='25%'>"+rightmask+"</td></tr>";+		htmltext += "<tr class='listtr01' onmouseup='do_list_click(this);'><td width='50%' f_id='"+i+"' class='longtd'>"+directories[i].dir+"</td><td width='30%' class='longtd'>"+directories[i].alias+"</td><td width='20%'>"+rightmask+"</td></tr>"; 	} 	htmltext += "</table>"; 	clear("listview_div");@@ -488,7 +495,7 @@ 		rightmask += " "; 		if(subdir_perm[i].zipfile) rightmask += "Z"; 		if(subdir_perm[i].unzipfile) rightmask += "U";-		htmltext += "<tr class='listtr01' onmouseup='do_list_click6(this);'><td width='75%' f_id='"+i+"'>"+subdir_perm[i].dir+"</td><td width='25%'>"+rightmask+"</td></tr>";+		htmltext += "<tr class='listtr01' onmouseup='do_list_click6(this);'><td width='75%' f_id='"+i+"' class='longtd'>"+subdir_perm[i].dir+"</td><td width='25%'>"+rightmask+"</td></tr>"; 	} 	htmltext += "</table>"; 	clear("listview_div6");@@ -1347,8 +1354,8 @@ 		<table width="100%" border="0" cellpadding="0" cellspacing="0" style="border:1px solid #919B9C;"> 			<tr> 			<td class="listhead" width="50%" onmouseover="className='listhead2';" onmouseout="className='listhead';"><%=LANG["title_directory"]%></td>-			<td class="listhead" width="25%" onmouseover="className='listhead2';" onmouseout="className='listhead';"><%=LANG["title_virtualpath"]%></td>-			<td class="listhead" width="25%" onmouseover="className='listhead2';" onmouseout="className='listhead';"><%=LANG["title_attributes"]%></td>+			<td class="listhead" width="30%" onmouseover="className='listhead2';" onmouseout="className='listhead';"><%=LANG["title_virtualpath"]%></td>+			<td class="listhead" width="20%" onmouseover="className='listhead2';" onmouseout="className='listhead';"><%=LANG["title_attributes"]%></td> 			</tr> 			<tr> 			<td colspan="3">@@ -1386,7 +1393,7 @@ 			</tr> 			<tr> 			<td colspan="2">-			<span id="listview_div6" style="float:left; height:260px; width:100%; background-color:#FFF; overflow:auto; overflow-x:hidden;">+			<span id="listview_div6" style="float:left; height:255px; width:100%; background-color:#FFF; overflow:auto; overflow-x:hidden;"> 			<table id="listtable6" width="100%" border="0" cellpadding="2" cellspacing="0" style="table-layout:fixed;"></table> 			</span> 			</td></tr>

After analyzing the provided code diff, here are the potential security vulnerabilities identified:

1. Vulnerability Existed: not sure  
   [Potential XSS Vulnerability] [webadmin/admin_addgroup_form2.html] [Lines 436, 488]  
   [Old Code]  
   `htmltext += "<tr class='listtr01' onmouseup='do_list_click(this);'><td width='50%' f_id='"+i+"'>"+directories[i].dir+"</td><td width='25%'>"+directories[i].alias+"</td><td width='25%'>"+rightmask+"</td></tr>";`  
   [Fixed Code]  
   `htmltext += "<tr class='listtr01' onmouseup='do_list_click(this);'><td width='50%' f_id='"+i+"' class='longtd'>"+directories[i].dir+"</td><td width='30%' class='longtd'>"+directories[i].alias+"</td><td width='20%'>"+rightmask+"</td></tr>";`  
   Additional Details: The code appears to be dynamically building HTML strings with user-controlled input (directories[i].dir and directories[i].alias). While the fix adds CSS classes for word wrapping, it doesn't show explicit HTML escaping, which could potentially lead to XSS if the input isn't properly sanitized elsewhere.

2. Vulnerability Existed: not sure  
   [Potential XSS Vulnerability] [webadmin/admin_addgroup_form2.html] [Lines 488]  
   [Old Code]  
   `htmltext += "<tr class='listtr01' onmouseup='do_list_click6(this);'><td width='75%' f_id='"+i+"'>"+subdir_perm[i].dir+"</td><td width='25%'>"+rightmask+"</td></tr>";`  
   [Fixed Code]  
   `htmltext += "<tr class='listtr01' onmouseup='do_list_click6(this);'><td width='75%' f_id='"+i+"' class='longtd'>"+subdir_perm[i].dir+"</td><td width='25%'>"+rightmask+"</td></tr>";`  
   Additional Details: Similar to the first case, this involves dynamic HTML construction with user input (subdir_perm[i].dir). The fix adds CSS classes but doesn't show explicit XSS protection measures.

Note: The main changes in the diff appear to be:
1. Addition of CSS word wrapping/breaking styles
2. Adjustment of column widths
3. Addition of CSS classes to table cells
4. Minor height adjustment for a div

While these changes improve presentation and potentially prevent layout-breaking from long unbroken strings, they don't clearly address security vulnerabilities unless the word wrapping was specifically added to mitigate some form of content injection. Without seeing the actual input sanitization routines, we can't be certain about XSS vulnerabilities.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/romanian.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/romanian.html@@ -50,7 +50,7 @@ rmdir_tip = "(această operație șterge toate subdirectoarele și toate fișierele!)", create_title = "Creează dosar nou", create_filename = "Numele dosarului",-create_submit = " &nbsp;&nbsp;OK &nbsp;&nbsp;",+create_submit = " OK ", create_cancel = " Anulare ", goto_title = "Duceți-vă la director", goto_path = "Calea directorului",@@ -171,7 +171,7 @@ str_searchin = "Caută în", str_searchfor = "Căutare pentru", str_searchfiles = "Caută fișiere în site",-str_search_tip = "Vă rugăm să introduceți un cuvânt cheie pentru căutare!",+str_search_tip = "Vă rugăm să introduceți un cuvânt cheie pentru căutare", str_searching = "Se caută...", str_searchfor_tip = "<b>Cum ar fi:</b> faq.txt, *.mp3",@@ -253,7 +253,7 @@ download_extension = "Extensie browser", download_single_file = "Pentru a descărca un singur fișier, trebuie să selectați un fișier făcând clic mai întâi pe numele acestuia.", download_multiple_files = "Pentru descărcarea mai multor fișiere / foldere, puteți utiliza extensia Google Chrome 'Wing Download Manager', trebuie doar să faceți clic pe pictograma extensiei din browser.<br><br>Dacă nu ați instalat încă această extensie, vă rugăm să o descărcați din Magazinul web Chrome: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "Pentru descărcarea mai multor fișiere / foldere, puteți utiliza extensia Firefox 'Wing Download Manager', trebuie doar să faceți clic pe pictograma extensiei din browser.<br><br>Dacă nu ați instalat încă această extensie, vă rugăm să o descărcați de pe site-ul Firefox Add-ons: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "Pentru descărcarea mai multor fișiere / foldere, puteți utiliza extensia Firefox 'Wing Download Manager', trebuie doar să faceți clic pe pictograma extensiei din browser.<br><br>Dacă nu ați instalat încă această extensie, vă rugăm să o descărcați de pe site-ul Firefox Add-ons: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "Este necesară autentificarea cu doi factori (TOTP)", str_verify = "Verifica",@@ -271,6 +271,10 @@ edit_office_files = "Pentru vizualizarea/editarea fișierelor Microsoft Word, Excel și PowerPoint, puteți utiliza extensia Google Chrome 'Office Editing for Docs, Sheets & Slides'.<br><br>Dacă nu ați instalat încă această extensie, vă rugăm să o descărcați din Magazinul web Chrome: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "Previzualizare video", scan_qrcode = "Scanați sau faceți clic pe codul QR pentru a descărca",+str_theme_label = "Temă:",+str_theme_modern = "Modern",+str_theme_classic = "Clasic",+str_copied = "Copiat", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "Eroare: o altă operațiune este în așteptare, vă rugăm să încercați mai târziu" RESULT_STR[-11] = "Eroare: nu aveți permisiune, nu se poate crea subfolder" RESULT_STR[1] = "Operația a avut succes!"+RESULT_STR[0] = "Operația a avut succes!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "Logarea nu a reșit: numele de utilizator și parola nu se potrivesc"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "Logarea nu a reșit: Windows Authentication cannot work when Windows Guest account enabled" LOGINERROR_STR[-15] = "Logarea nu a reșit: exceeded the max user accounts which current version allows" LOGINERROR_STR[1] = "Logarea a reușit!"+LOGINERROR_STR[0] = "Logarea a reușit!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "Schimbarea parolei nu a reușit: schimbarea parolei este interzisă"

After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be primarily cosmetic (spacing adjustments), text updates, and feature additions rather than security fixes. Here's the analysis:

1. Vulnerability Existed: no
   Cosmetic Changes [File] webclient/language/romanian.html [Lines 50, 171]
   Old Code: create_submit = "   OK   "
   Fixed Code: create_submit = " OK "

2. Vulnerability Existed: no
   Text Update [File] webclient/language/romanian.html [Lines 171]
   Old Code: str_search_tip = "Vă rugăm să introduceți un cuvânt cheie pentru căutare!"
   Fixed Code: str_search_tip = "Vă rugăm să introduceți un cuvânt cheie pentru căutare"

3. Vulnerability Existed: no
   URL Update [File] webclient/language/romanian.html [Lines 253]
   Old Code: href='https://addons.mozilla.org/firefox/addon/wing-download-manager/'
   Fixed Code: href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/'

4. Vulnerability Existed: no
   Feature Addition [File] webclient/language/romanian.html [Lines 271-274, 286, 304]
   Old Code: (nonexistent)
   Fixed Code: Added new theme options and success messages (RESULT_STR[0], LOGINERROR_STR[0])

The changes are all related to UI/UX improvements, text formatting, and adding new features rather than addressing security vulnerabilities. No security-related patterns (like XSS fixes, input validation, or authorization checks) were modified in this diff.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_testldap.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_testldap.html@@ -9,11 +9,11 @@ 	local ldap_binddn = _POST["ldap_binddn"] 	local ldap_bindpass = _POST["ldap_bindpass"]-	local retval = c_TestLDAP(domain,ldap_host,ldap_port,ldap_version,ldap_usessl,ldap_binddn,ldap_bindpass)+	local retval,errmsg = c_TestLDAP(domain,ldap_host,ldap_port,ldap_version,ldap_usessl,ldap_binddn,ldap_bindpass) 	if retval == true then 		print("1") 	else-		print("0")+		print(errmsg or "") 	end end

Here's the analysis of the provided code diff:

1. Vulnerability Existed: not sure  
Potential Information Disclosure [File] webadmin/admin_testldap.html [Lines] 9-15  
[Old Code]  
```lua
local retval = c_TestLDAP(domain,ldap_host,ldap_port,ldap_version,ldap_usessl,ldap_binddn,ldap_bindpass)
if retval == true then
    print("1")
else
    print("0")
end
```  
[Fixed Code]  
```lua
local retval,errmsg = c_TestLDAP(domain,ldap_host,ldap_port,ldap_version,ldap_usessl,ldap_binddn,ldap_bindpass)
if retval == true then
    print("1")
else
    print(errmsg or "")
end
```  
Additional Details: The change adds error message handling which could potentially expose sensitive information if error messages contain system details. However, this might also be considered an improvement in error reporting. The security impact depends on what `errmsg` contains.

2. Vulnerability Existed: not sure  
Potential Error Handling Improvement [File] webadmin/admin_testldap.html [Lines] 9-15  
[Old Code]  
Same as above  
[Fixed Code]  
Same as above  
Additional Details: The change improves error handling by providing more detailed feedback when LDAP tests fail. While not clearly a security vulnerability fix, better error handling can help administrators diagnose issues without exposing too much information.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_general_setting.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_general_setting.html@@ -98,7 +98,7 @@ #tabDiv {-	width: 818px;+	width: 838px; 	margin: 0px auto 0px auto; 	position: relative; 	border:1px solid transparent;@@ -132,7 +132,7 @@ } .tagContent div { 	margin-top: 0px;-	height: 460px;+	height: 480px; 	overflow-y:auto; 	background-image: url('images/tabbg.gif'); 	background-repeat: repeat-x;@@ -245,6 +245,7 @@ 	var enable_weblink = ($("enable_weblink").checked ? 1:0); 	var show_subfolder = ($("show_subfolder").checked ? 1:0); 	var keep_old_weblink = ($("keep_old_weblink").checked ? 1:0);+	var anonymous_weblink = ($("anonymous_weblink").checked ? 1:0); 	var uplink_overwrite = ($("uplink_overwrite").checked ? 1:0); 	var weblink_domain = encodeURIComponent($("weblink_domain").value); 	var enable_https_redirect = ($("enable_https_redirect").checked ? 1:0);@@ -371,7 +372,7 @@ 		} 	}-	paramStr = "domain="+domain+"&enable_hammer="+enable_hammer+"&send_message="+send_message+"&block_time="+block_time+"&failed_count="+failed_count+"&failed_interval="+failed_interval+"&enable_fxp="+enable_fxp+"&enable_utf8_on="+enable_utf8_on+"&enable_auth_tls="+enable_auth_tls+"&enable_uploadlink="+enable_uploadlink+"&buffer_size="+buffer_size+"&enable_weblink="+enable_weblink+"&show_subfolder="+show_subfolder+"&keep_old_weblink="+keep_old_weblink+"&uplink_overwrite="+uplink_overwrite+"&weblink_domain="+weblink_domain+"&enable_https_redirect="+enable_https_redirect+"&https_redirect_port="+https_redirect_port+"&sslcert="+sslcert+"&sshkey="+sshkey+"&smtpconfig="+smtpconfig+"&listener_enable_upnp="+listener_enable_upnp+"&list_time_gmt="+list_time_gmt+"&enable_log="+enable_log+"&log_filename="+log_filename+"&log_maxsize="+log_maxsize+"&log_compress="+log_compress+"&log_millisecond="+log_millisecond+"&enable_modez="+enable_modez+"&zlevel_default="+zlevel_default+"&zlevel_min="+zlevel_min+"&zlevel_max="+zlevel_max+"&max_session="+max_session+"&max_ipsession="+max_ipsession+"&max_session_per_user="+max_session_per_user+"&max_ipsession_for_user="+max_ipsession_for_user+"&connection_timeout="+connection_timeout+"&session_downspeed="+session_downspeed+"&session_upspeed="+session_upspeed+"&user_downspeed="+user_downspeed+"&user_upspeed="+user_upspeed+"&domain_downspeed="+domain_downspeed+"&domain_upspeed="+domain_upspeed+"&data_transfer_timeout="+data_transfer_timeout+"&pasv_method="+pasv_method+"&pasv_fixed_ip="+pasv_fixed_ip+"&pasv_web_ip="+pasv_web_ip+"&pasv_dns_ip="+pasv_dns_ip+"&pasv_ip_refresh="+pasv_ip_refresh+"&pasv_min_port="+pasv_min_port+"&pasv_max_port="+pasv_max_port+"&enable_logfile_message="+enable_logfile_message+"&enable_logscrn_message="+enable_logscrn_message+"&enable_logfile_security="+enable_logfile_security+"&enable_logscrn_security="+enable_logscrn_security+"&enable_logfile_ftpcmd="+enable_logfile_ftpcmd+"&enable_logscrn_ftpcmd="+enable_logscrn_ftpcmd+"&enable_logfile_ftpresp="+enable_logfile_ftpresp+"&enable_logscrn_ftpresp="+enable_logscrn_ftpresp+"&enable_logfile_webcmd="+enable_logfile_webcmd+"&enable_logscrn_webcmd="+enable_logscrn_webcmd+"&enable_logfile_webresp="+enable_logfile_webresp+"&enable_logscrn_webresp="+enable_logscrn_webresp+"&enable_logfile_sshcmd="+enable_logfile_sshcmd+"&enable_logscrn_sshcmd="+enable_logscrn_sshcmd+"&enable_logfile_sshresp="+enable_logfile_sshresp+"&enable_logscrn_sshresp="+enable_logscrn_sshresp+"&enable_logfile_odbcerr="+enable_logfile_odbcerr+"&enable_logscrn_odbcerr="+enable_logscrn_odbcerr+"&enable_logfile_mysqlerr="+enable_logfile_mysqlerr+"&enable_logscrn_mysqlerr="+enable_logscrn_mysqlerr+"&enable_logfile_luaerr="+enable_logfile_luaerr+"&enable_logscrn_luaerr="+enable_logscrn_luaerr+"&enable_logfile_mailerr="+enable_logfile_mailerr+"&enable_logscrn_mailerr="+enable_logscrn_mailerr+"&enable_logfile_fileerr="+enable_logfile_fileerr+"&enable_logscrn_fileerr="+enable_logscrn_fileerr+"&enable_logfile_normalerr="+enable_logfile_normalerr+"&enable_logscrn_normalerr="+enable_logscrn_normalerr+"&enable_domain_logo="+enable_domain_logo+"&min_password="+min_password+"&password_complexity1="+password_complexity1+"&password_complexity2="+password_complexity2+"&password_complexity3="+password_complexity3+"&password_complexity4="+password_complexity4+"&sha256_password="+sha256_password+"&changepass_firstlogon="+changepass_firstlogon+"&enable_symbolic_link="+enable_symbolic_link+"&http_headers="+http_headers+"&enable_passive_active="+enable_passive_active+"&passive_listener_timeout="+passive_listener_timeout+"&auto_pasv_ip="+auto_pasv_ip+"&auto_passive_forward="+auto_passive_forward+"&auto_active_forward="+auto_active_forward+"&enable_welcome_message="+enable_welcome_message+"&str_welcome_message="+encodeURIComponent(str_welcome_message)+"&ssh_banner="+ssh_banner+"&http_keepalive="+http_keepalive+"&tls_session_timeout="+tls_session_timeout+"&enable_salting="+enable_salting+"&salting_string="+salting_string+"&r="+Math.random();+	paramStr = "domain="+domain+"&enable_hammer="+enable_hammer+"&send_message="+send_message+"&block_time="+block_time+"&failed_count="+failed_count+"&failed_interval="+failed_interval+"&enable_fxp="+enable_fxp+"&enable_utf8_on="+enable_utf8_on+"&enable_auth_tls="+enable_auth_tls+"&enable_uploadlink="+enable_uploadlink+"&buffer_size="+buffer_size+"&enable_weblink="+enable_weblink+"&show_subfolder="+show_subfolder+"&keep_old_weblink="+keep_old_weblink+"&anonymous_weblink="+anonymous_weblink+"&uplink_overwrite="+uplink_overwrite+"&weblink_domain="+weblink_domain+"&enable_https_redirect="+enable_https_redirect+"&https_redirect_port="+https_redirect_port+"&sslcert="+sslcert+"&sshkey="+sshkey+"&smtpconfig="+smtpconfig+"&listener_enable_upnp="+listener_enable_upnp+"&list_time_gmt="+list_time_gmt+"&enable_log="+enable_log+"&log_filename="+log_filename+"&log_maxsize="+log_maxsize+"&log_compress="+log_compress+"&log_millisecond="+log_millisecond+"&enable_modez="+enable_modez+"&zlevel_default="+zlevel_default+"&zlevel_min="+zlevel_min+"&zlevel_max="+zlevel_max+"&max_session="+max_session+"&max_ipsession="+max_ipsession+"&max_session_per_user="+max_session_per_user+"&max_ipsession_for_user="+max_ipsession_for_user+"&connection_timeout="+connection_timeout+"&session_downspeed="+session_downspeed+"&session_upspeed="+session_upspeed+"&user_downspeed="+user_downspeed+"&user_upspeed="+user_upspeed+"&domain_downspeed="+domain_downspeed+"&domain_upspeed="+domain_upspeed+"&data_transfer_timeout="+data_transfer_timeout+"&pasv_method="+pasv_method+"&pasv_fixed_ip="+pasv_fixed_ip+"&pasv_web_ip="+pasv_web_ip+"&pasv_dns_ip="+pasv_dns_ip+"&pasv_ip_refresh="+pasv_ip_refresh+"&pasv_min_port="+pasv_min_port+"&pasv_max_port="+pasv_max_port+"&enable_logfile_message="+enable_logfile_message+"&enable_logscrn_message="+enable_logscrn_message+"&enable_logfile_security="+enable_logfile_security+"&enable_logscrn_security="+enable_logscrn_security+"&enable_logfile_ftpcmd="+enable_logfile_ftpcmd+"&enable_logscrn_ftpcmd="+enable_logscrn_ftpcmd+"&enable_logfile_ftpresp="+enable_logfile_ftpresp+"&enable_logscrn_ftpresp="+enable_logscrn_ftpresp+"&enable_logfile_webcmd="+enable_logfile_webcmd+"&enable_logscrn_webcmd="+enable_logscrn_webcmd+"&enable_logfile_webresp="+enable_logfile_webresp+"&enable_logscrn_webresp="+enable_logscrn_webresp+"&enable_logfile_sshcmd="+enable_logfile_sshcmd+"&enable_logscrn_sshcmd="+enable_logscrn_sshcmd+"&enable_logfile_sshresp="+enable_logfile_sshresp+"&enable_logscrn_sshresp="+enable_logscrn_sshresp+"&enable_logfile_odbcerr="+enable_logfile_odbcerr+"&enable_logscrn_odbcerr="+enable_logscrn_odbcerr+"&enable_logfile_mysqlerr="+enable_logfile_mysqlerr+"&enable_logscrn_mysqlerr="+enable_logscrn_mysqlerr+"&enable_logfile_luaerr="+enable_logfile_luaerr+"&enable_logscrn_luaerr="+enable_logscrn_luaerr+"&enable_logfile_mailerr="+enable_logfile_mailerr+"&enable_logscrn_mailerr="+enable_logscrn_mailerr+"&enable_logfile_fileerr="+enable_logfile_fileerr+"&enable_logscrn_fileerr="+enable_logscrn_fileerr+"&enable_logfile_normalerr="+enable_logfile_normalerr+"&enable_logscrn_normalerr="+enable_logscrn_normalerr+"&enable_domain_logo="+enable_domain_logo+"&min_password="+min_password+"&password_complexity1="+password_complexity1+"&password_complexity2="+password_complexity2+"&password_complexity3="+password_complexity3+"&password_complexity4="+password_complexity4+"&sha256_password="+sha256_password+"&changepass_firstlogon="+changepass_firstlogon+"&enable_symbolic_link="+enable_symbolic_link+"&http_headers="+http_headers+"&enable_passive_active="+enable_passive_active+"&passive_listener_timeout="+passive_listener_timeout+"&auto_pasv_ip="+auto_pasv_ip+"&auto_passive_forward="+auto_passive_forward+"&auto_active_forward="+auto_active_forward+"&enable_welcome_message="+enable_welcome_message+"&str_welcome_message="+encodeURIComponent(str_welcome_message)+"&ssh_banner="+ssh_banner+"&http_keepalive="+http_keepalive+"&tls_session_timeout="+tls_session_timeout+"&enable_salting="+enable_salting+"&salting_string="+salting_string+"&r="+Math.random(); 	ajaxRequest("admin_set_general",paramStr); }@@ -762,6 +763,7 @@ 		</td></tr> 		<tr><td><input type="checkbox" id="show_subfolder" <%if c_GetOptionInt(domain,DOPTION_ENABLE_WEBLINK_SUBFOLDER) == 1 then print("checked") end%>><%=LANG["str_show_subfolder"]%></td></tr> 		<tr><td><input type="checkbox" id="keep_old_weblink" <%if c_GetOptionInt(domain,DOPTION_KEEP_OLD_WEBLINK) == 1 then print("checked") end%>><%=LANG["str_keep_weblink"]%></td></tr>+		<tr><td><input type="checkbox" id="anonymous_weblink" <%if c_GetOptionInt(domain,DOPTION_ANONYMOUS_WEBLINK) == 1 then print("checked") end%>><%=LANG["str_anonymous_weblink"]%></td></tr> 		<tr><td><input type="checkbox" id="uplink_overwrite" <%if c_GetOptionInt(domain,DOPTION_UPLINK_OVERWRITE) == 1 then print("checked") end%>><%=LANG["str_uplink_overwrite"]%></td></tr> 		<tr><td> 		&nbsp;

Based on the provided code diff, I'll analyze it for security fixes:

1. Vulnerability Existed: not sure
   [Potential Information Exposure] [webadmin/admin_general_setting.html] [Lines 245, 371-372, 762-763]
   Old Code: Did not include "anonymous_weblink" parameter in the form submission
   Fixed Code: Added "anonymous_weblink" checkbox and included it in the parameter string

2. Vulnerability Existed: no
   [Layout Adjustment] [webadmin/admin_general_setting.html] [Lines 98, 132]
   Old Code: width: 818px; height: 460px;
   Fixed Code: width: 838px; height: 480px;

The main change appears to be the addition of an "anonymous_weblink" feature. While this could potentially introduce security considerations (like allowing anonymous access to weblinks), there isn't enough context to determine if this was fixing an existing vulnerability or just adding new functionality. The layout changes are purely cosmetic.

No clear security vulnerabilities were fixed in this diff, though the addition of anonymous weblink functionality might warrant security review for the application's specific context.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/main_m.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/main_m.html@@ -1648,18 +1648,27 @@ 			{ 				return false; 			}+			else+			{+				if(last_field == -1)+					window.location = "main_m.html";+				else+					window.location = "main_m.html?sort="+last_field+"&r="+Number(reverse_sort);++				return true;+			}+		}++		if(iframeWindow.document.getElementById("infoDiv").innerHTML != "")+		{+			Refresh(); 		} 	} 	catch(e) 	{ 	}-	if(last_field == -1)-		window.location = "main_m.html";-	else-		window.location = "main_m.html?sort="+last_field+"&r="+Number(reverse_sort);--	return false;+	return true; } function cancelUpload()

Analyzing the provided code diff, here's the security analysis:

1. Vulnerability Existed: yes
Open Redirect Vulnerability [webclient/main_m.html] [Lines 1648-1667]
[Old Code]
if(last_field == -1)
    window.location = "main_m.html";
else
    window.location = "main_m.html?sort="+last_field+"&r="+Number(reverse_sort);

return false;
[Fixed Code]
else
{
    if(last_field == -1)
        window.location = "main_m.html";
    else
        window.location = "main_m.html?sort="+last_field+"&r="+Number(reverse_sort);

    return true;
}
}
Additional Details:
The fix adds proper control flow by moving the redirect logic inside an else block and adding validation checks. The original code could potentially allow redirects even when they shouldn't occur, which could be exploited for open redirect attacks.

2. Vulnerability Existed: not sure
Potential XSS Vulnerability [webclient/main_m.html] [Lines 1658-1661]
[Old Code]
(None - new code added)
[Fixed Code]
if(iframeWindow.document.getElementById("infoDiv").innerHTML != "")
{
    Refresh();
}
Additional Details:
The new code checks and potentially refreshes based on innerHTML content. While not directly vulnerable, manipulating innerHTML without proper sanitization could potentially lead to XSS if the content comes from untrusted sources. However, without seeing the full context of where infoDiv's content comes from, we can't be certain.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/dutch.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/dutch.html@@ -50,7 +50,7 @@ rmdir_tip = "(this operation remove all subdirectories and files!)", create_title = "Maak nieuwe map", create_filename = "Map naam",-create_submit = " &nbsp;&nbsp;OK &nbsp;&nbsp;",+create_submit = " OK ", create_cancel = " Annuleren ", goto_title = "Ga Naar Map", goto_path = "Map locatie",@@ -171,7 +171,7 @@ str_searchin = "Zoek in", str_searchfor = "Zoek naar", str_searchfiles = "Zoek bestanden in pagina",-str_search_tip = "Geef een woord om naar te zoeken!",+str_search_tip = "Voer een bestandsnaam in om te zoeken", str_searching = "Zoeken ...", str_searchfor_tip = "<b>Bijvoorbeeld:</b>faq.txt,*.mp3",@@ -253,7 +253,7 @@ download_extension = "Browser-extensie", download_single_file = "Om een enkel bestand te downloaden, moet u een bestand selecteren door eerst op de bestandsnaam te klikken.", download_multiple_files = "Voor het downloaden van meerdere bestanden / mappen kunt u de Google Chrome-extensie 'Wing Download Manager' gebruiken, klik gewoon op het pictogram van de extensie in de browser.<br><br> Als u deze extensie nog niet heeft geïnstalleerd, downloadt u deze uit de Chrome Web Store: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "Voor het downloaden van meerdere bestanden / mappen kunt u de Firefox-extensie 'Wing Download Manager' gebruiken, klik gewoon op het pictogram van de extensie in de browser.<br><br> Als u deze extensie nog niet heeft geïnstalleerd, downloadt u deze uit de Firefox-addons-website: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "Voor het downloaden van meerdere bestanden / mappen kunt u de Firefox-extensie 'Wing Download Manager' gebruiken, klik gewoon op het pictogram van de extensie in de browser.<br><br> Als u deze extensie nog niet heeft geïnstalleerd, downloadt u deze uit de Firefox-addons-website: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "Twee-factor-authenticatie (TOTP)", str_verify = "Verifiëren",@@ -271,6 +271,10 @@ edit_office_files = "Voor het bekijken/bewerken van Microsoft Word-, Excel- en PowerPoint-bestanden kunt u de Google Chrome-extensie 'Office Editing for Docs, Sheets & Slides' gebruiken.<br><br> Als u deze extensie nog niet heeft geïnstalleerd, downloadt u deze uit de Chrome Web Store: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "Videovoorbeeld", scan_qrcode = "Scan of klik op de QR-code om te downloaden",+str_theme_label = "Thema:",+str_theme_modern = "Modern",+str_theme_classic = "Klassiek",+str_copied = "Gekopieerd", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "Fout: een andere bewerking is in behandeling, probeer het later opnieuw" RESULT_STR[-11] = "Fout: geen toegang, kan geen submap maken" RESULT_STR[1] = "Operatie geslaagd!"+RESULT_STR[0] = "Operatie geslaagd!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "Login mislukt: gebruikersnaam en wachtwoord kloppen niet"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "Login mislukt: Windows Authentication cannot work when Windows Guest account enabled" LOGINERROR_STR[-15] = "Login mislukt: exceeded the max user accounts which current version allows" LOGINERROR_STR[1] = "Login geslaagd!"+LOGINERROR_STR[0] = "Login geslaagd!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "Veranderen wachtwoord mislukt: wachtwoord wijzigen is niet toegestaan"

After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be primarily textual/UI improvements and additions rather than security patches. Here's the analysis:

1. Vulnerability Existed: no
   No security vulnerability found
   File: webclient/language/dutch.html
   Changes include:
   - Button text simplification ("   OK   " → " OK ")
   - Search tip clarification
   - Updated Firefox extension URL
   - Added theme options
   - Added success status codes (0)
   - Minor text improvements

2. Vulnerability Existed: not sure
   Potential Link Target Verification [File] webclient/language/dutch.html [Lines] 253
   Old Code: href='https://addons.mozilla.org/firefox/addon/wing-download-manager/'
   Fixed Code: href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/'
   Note: While this updates a link to a browser extension, it's unclear if the old link was insecure or just outdated

The changes appear to be focused on:
1. UI/UX improvements (text clarifications, spacing adjustments)
2. Updated extension links (potentially for maintenance reasons)
3. Added new features (theme support)
4. Added status code handling

No clear evidence of security vulnerabilities being addressed in this diff. The link update might be related to security if the old extension was deprecated for security reasons, but this isn't verifiable from the diff alone.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/korean.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/korean.html@@ -50,7 +50,7 @@ rmdir_tip = "(이 작업은 모든 하위 디렉터리와 파일들을 제거합니다!)", create_title = "새 폴더 만들기", create_filename = "폴더 이름",-create_submit = " &nbsp;&nbsp;확인 &nbsp;",+create_submit = " 확인 ", create_cancel = " 취소 ", goto_title = "디렉터리 이동", goto_path = "디렉터리 경로",@@ -171,7 +171,7 @@ str_searchin = "검색", str_searchfor = "검색어", str_searchfiles = "파일 검색",-str_search_tip = "검색할 키워드를 입력하세요!",+str_search_tip = "검색할 파일 이름을 입력하세요", str_searching = "지금 검색 중...", str_searchfor_tip = "<b>보기:</b>  faq.txt, *.mp3", str_user_quota = "할당량",@@ -253,7 +253,7 @@ download_extension = "브라우저 확장", download_single_file = "단일 파일을 다운로드하려면 먼저 파일 이름을 클릭하여 파일을 선택해야합니다.", download_multiple_files = "여러 파일 / 폴더를 다운로드하려면 Google Chrome 확장 프로그램 'Wing Download Manager'를 사용할 수 있습니다, 브라우저에서 확장 프로그램 아이콘을 클릭하기 만하면됩니다.<br><br>이 확장 프로그램을 아직 설치하지 않았다면 Chrome 웹 스토어에서 다운로드하세요: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "여러 파일 / 폴더를 다운로드하려면 Firefox 확장 프로그램 'Wing Download Manager'를 사용할 수 있습니다, 브라우저에서 확장 프로그램 아이콘을 클릭하기 만하면됩니다.<br><br>이 확장 프로그램을 아직 설치하지 않았다면 Firefox 웹 스토어에서 다운로드하세요: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "여러 파일 / 폴더를 다운로드하려면 Firefox 확장 프로그램 'Wing Download Manager'를 사용할 수 있습니다, 브라우저에서 확장 프로그램 아이콘을 클릭하기 만하면됩니다.<br><br>이 확장 프로그램을 아직 설치하지 않았다면 Firefox 웹 스토어에서 다운로드하세요: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "이중 인증(TOTP)", str_verify = "검증",@@ -271,6 +271,10 @@ edit_office_files = "Microsoft Word, Excel 및 PowerPoint 파일 보기/편집을 위해 Google Chrome 확장 프로그램 'Office Editing for Docs, Sheets & Slides'를 사용할 수 있습니다.<br><br>이 확장 프로그램을 아직 설치하지 않았다면 Chrome 웹 스토어에서 다운로드하세요: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "비디오 미리보기", scan_qrcode = "QR 코드를 스캔하거나 클릭하여 다운로드하세요",+str_theme_label = "테마:",+str_theme_modern = "모던",+str_theme_classic = "클래식",+str_copied = "복사됨", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "오류 : 다른 작업이 보류 중입니다. 나중에 시도하십시오." RESULT_STR[-11] = "오류: 권한이 없습니다, 하위 폴더를 만들 수 없습니다." RESULT_STR[1] = "작업 성공!"+RESULT_STR[0] = "작업 성공!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "로그인 실패됨: 사용자명과 암호가 일치하지 않습니다."@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "로그인 실패됨: Windows 손님 계정 사용 시 Windows 인증이 작동하지 않습니다." LOGINERROR_STR[-15] = "로그인 실패됨: 현재 버전이 허용하는 최대 사용자 계정을 초과했습니다" LOGINERROR_STR[1] = "로그인 성공!"+LOGINERROR_STR[0] = "로그인 성공!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "암호 변경 실패됨: 암호 변경은 허용되지 않습니다."

Here's the analysis of the provided code diff for security fixes:

1. Vulnerability Existed: not sure  
   [No specific vulnerability name] [webclient/language/korean.html] [Lines 253]  
   [Old Code]  
   `download_multiple_files2 = "여러 파일 / 폴더를 다운로드하려면 Firefox 확장 프로그램 'Wing Download Manager'를 사용할 수 있습니다...<a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'..."`  
   [Fixed Code]  
   `download_multiple_files2 = "여러 파일 / 폴더를 다운로드하려면 Firefox 확장 프로그램 'Wing Download Manager'를 사용할 수 있습니다...<a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'..."`  
   Additional Details: The Firefox extension URL was updated. While this might indicate a security update (perhaps the old extension had vulnerabilities), we can't be certain without more context about why the URL was changed.

2. Vulnerability Existed: no  
   [No specific vulnerability name] [webclient/language/korean.html] [Lines 50, 171]  
   [Old Code]  
   Various text changes in Korean language strings (e.g., button text changes from " &nbsp;&nbsp;확인 &nbsp;" to " 확인 ", search tip text changes)  
   [Fixed Code]  
   Updated text strings  
   Additional Details: These appear to be purely cosmetic/textual changes with no security implications.

3. Vulnerability Existed: no  
   [No specific vulnerability name] [webclient/language/korean.html] [Lines 271, 286, 304]  
   [Old Code]  
   Missing string definitions for theme-related text and duplicate success messages  
   [Fixed Code]  
   Added new string definitions for theme options and "copied" message, added duplicate success messages (RESULT_STR[0] and LOGINERROR_STR[0])  
   Additional Details: These are feature additions and text updates with no apparent security impact.

Note: The diff primarily contains localization text changes and minor UI improvements. The only potentially security-related change is the Firefox extension URL update, but without knowing why it was changed, we can't definitively say it was a security fix.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_graphic.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_graphic.html@@ -127,30 +127,30 @@ 		if(nTimeType == 0) 		{-			d.setSeconds(d.getSeconds()-300);+			d.setSeconds(d.getSeconds()-360); 			for(var i=0;i<60;i++) 			{-				d.setSeconds(d.getSeconds() + 5);+				d.setSeconds(d.getSeconds() + 6); 				strData += d.getFullYear()+"/"+(d.getMonth()+1)+"/"+d.getDate()+" "+d.getHours()+":"+d.getMinutes()+":"+d.getSeconds()+","+arrValue[i]+"\n"; 			} 		} 		else if(nTimeType == 1) 		{-			d.setHours(d.getHours()-5);-			d.setSeconds(d.getSeconds()-150);+			d.setHours(d.getHours()-6);+			d.setSeconds(d.getSeconds()-240); 			for(var i=0;i<60;i++) 			{-				d.setSeconds(d.getSeconds() + 300);+				d.setSeconds(d.getSeconds() + 360); 				strData += d.getFullYear()+"/"+(d.getMonth()+1)+"/"+d.getDate()+" "+d.getHours()+":"+d.getMinutes()+":"+d.getSeconds()+","+arrValue[i]+"\n"; 			} 		} 		else if(nTimeType == 2) 		{-			d.setDate(d.getDate()-10);-			d.setSeconds(d.getSeconds()-7200);+			d.setDate(d.getDate()-15);+			d.setSeconds(d.getSeconds()-3600); 			for(var i=0;i<60;i++) 			{-				d.setSeconds(d.getSeconds() + 14400);+				d.setSeconds(d.getSeconds() + 21600); 				strData += d.getFullYear()+"/"+(d.getMonth()+1)+"/"+d.getDate()+" "+d.getHours()+":"+d.getMinutes()+":"+d.getSeconds()+","+arrValue[i]+"\n"; 			} 		}@@ -167,7 +167,7 @@ 				colors:['blue'], 				fillGraph:true, 				includeZero:true,-				pixelsPerXLabel:80,+				pixelsPerXLabel:90, 				pixelsPerYLabel:18, 				labelsDiv: $("labels1") 			}@@ -184,7 +184,7 @@ 				colors:['green'], 				fillGraph:true, 				includeZero:true,-				pixelsPerXLabel:80,+				pixelsPerXLabel:90, 				pixelsPerYLabel:18, 				labelsDiv: $("labels2") 			}@@ -201,7 +201,7 @@ 				colors:['red'], 				fillGraph:true, 				includeZero:true,-				pixelsPerXLabel:80,+				pixelsPerXLabel:90, 				pixelsPerYLabel:18, 				labelsDiv: $("labels3") 			}@@ -263,13 +263,13 @@ 	$("timetype3").value = getCookie("chart3_time"); }-setInterval("getDownloadSpeed()",4800);+setInterval("getDownloadSpeed()",3800); getDownloadSpeed();-setInterval("getUploadSpeed()",4800);+setInterval("getUploadSpeed()",3800); setTimeout("getUploadSpeed()",100);-setInterval("getSessionNumber()",4800);+setInterval("getSessionNumber()",3800); setTimeout("getSessionNumber()",200); setTimeout("window.location.reload()",1000*60);

After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be related to timing adjustments and display parameters rather than security fixes. Here's the analysis:

1. Vulnerability Existed: no
   Timing Parameter Adjustments [File] [Lines 127-201]
   [Old Code] Various timing parameters (300, 5, 150, 300, 7200, 14400, 4800)
   [Fixed Code] Adjusted timing parameters (360, 6, 240, 360, 3600, 21600, 3800)
   Note: These appear to be performance/display timing adjustments rather than security fixes

2. Vulnerability Existed: no
   Display Parameter Changes [File] [Lines 167-201]
   [Old Code] pixelsPerXLabel:80
   [Fixed Code] pixelsPerXLabel:90
   Note: These are display parameter changes for graph rendering

The changes primarily involve:
- Adjusting time intervals for data collection/display
- Modifying graph display parameters
- Changing refresh rates for speed/session monitoring

None of these changes appear to address any known security vulnerabilities. They seem to be routine adjustments to the application's timing and display characteristics.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_loginok.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_loginok.html@@ -15,10 +15,12 @@ password = string.gsub(password,"+"," ") password = string.gsub(password,"\t","+")+username = string.sub(username, 1, 128)+password = string.sub(password, 1, 128) if c_CheckAdmin(username,password) == false or c_CheckAdminIp(username,_REMOTE_IP) == false then 	c_AddAdminFailedIp(_REMOTE_IP)-	c_AddAdminLog("administrator '"..string.sub(username, 1, 64).."'(IP:".._REMOTE_IP..") login failed!",ADMIN_LOG_ERROR)+	c_AddAdminLog("administrator '"..username.."'(IP:".._REMOTE_IP..") login failed!",ADMIN_LOG_ERROR) 	print("<script>alert('"..LANG["signin_failed"].."');location='admin_login.html';</script>") else 	if _COOKIE["UIDADMIN"] ~= nil then

Analyzing the provided code diff, here's the security analysis:

1. Vulnerability Existed: yes
Buffer Overflow Prevention [File] webadmin/admin_loginok.html [Lines] 15-16
Old Code:
(none - no length limitation)
Fixed Code:
username = string.sub(username, 1, 128)
password = string.sub(password, 1, 128)

2. Vulnerability Existed: yes
Information Disclosure [File] webadmin/admin_loginok.html [Lines] 18
Old Code:
c_AddAdminLog("administrator '"..string.sub(username, 1, 64).."'(IP:".._REMOTE_IP..") login failed!",ADMIN_LOG_ERROR)
Fixed Code:
c_AddAdminLog("administrator '"..username.."'(IP:".._REMOTE_IP..") login failed!",ADMIN_LOG_ERROR)

Additional notes:
1. The first fix adds length limitations to username and password inputs, preventing potential buffer overflow attacks by truncating inputs to 128 characters.
2. The second change appears to be a logging modification where the username length restriction was removed (changed from 64 to full length). This might actually be a regression in security as it could now log excessively long usernames, though the impact would depend on the logging system's capacity.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/downloadfolder.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/downloadfolder.html@@ -158,7 +158,7 @@ 		</tr> 		<tr>  		<td height="35" style="font-size:12px;color:#FFF;">-		<a href="https://www.wftpserver.com/" target="_blank" style="color:#FFF;">Wing FTP Server</a> ©2003-2024 <b>wftpserver.com</b> All Rights Reserved+		<a href="https://www.wftpserver.com/" target="_blank" style="color:#FFF;">Wing FTP Server</a> ©2003-2025 <b>wftpserver.com</b> All Rights Reserved 		</td> 		</tr> 	  </table>

Based on the provided diff, here's the analysis:

    Vulnerability Existed: no
    No security vulnerability found [File] webclient/downloadfolder.html [Lines] 158
    [Old Code]
    <a href="https://www.wftpserver.com/" target="_blank" style="color:#FFF;">Wing FTP Server</a> ©2003-2024 <b>wftpserver.com</b> All Rights Reserved
    [Fixed Code]
    <a href="https://www.wftpserver.com/" target="_blank" style="color:#FFF;">Wing FTP Server</a> ©2003-2025 <b>wftpserver.com</b> All Rights Reserved

Additional Details:
- The change appears to be a simple copyright year update (2024 to 2025)
- No security-related changes were made in this diff
- The href attribute still uses HTTPS (secure protocol)
- The target="_blank" attribute remains, but this isn't inherently a vulnerability in this context

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/czech.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/czech.html@@ -50,7 +50,7 @@ rmdir_tip = "(tento krok odstraní všechny podadresáře a soubory!)", create_title = "Vytvořit novou složku", create_filename = "Název složky",-create_submit = " &nbsp;&nbsp;OK &nbsp;&nbsp;",+create_submit = " OK ", create_cancel = " Zrušit ", goto_title = "Jít do adresáře", goto_path = "Cesta k adresáři",@@ -171,7 +171,7 @@ str_searchin = "Hledat(kde)", str_searchfor = "Hledat(co)", str_searchfiles = "Vyhledat soubory ve složce",-str_search_tip = "Prosím vložte klíčové slovo pro hledání!",+str_search_tip = "Prosím vložte klíčové slovo pro hledání", str_searching = "Vyhledávám ...", str_searchfor_tip = "<b>Např.</b> faq.txt, *.mp3",@@ -253,7 +253,7 @@ download_extension = "Rozšíření prohlížeče", download_single_file = "Chcete-li stáhnout jeden soubor, musíte nejprve vybrat soubor kliknutím na jeho název souboru.", download_multiple_files = "Ke stažení více souborů / složek můžete použít rozšíření Google Chrome 'Wing Download Manager', stačí kliknout na ikonu rozšíření v prohlížeči.<br><br>Pokud jste toto rozšíření ještě nenainstalovali, stáhněte si ho z Internetového obchodu Chrome: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "Ke stažení více souborů / složek můžete použít rozšíření Firefox 'Wing Download Manager', stačí kliknout na ikonu rozšíření v prohlížeči.<br><br>Pokud jste toto rozšíření ještě nenainstalovali, stáhněte si jej z webu Firefox Add-ons: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "Ke stažení více souborů / složek můžete použít rozšíření Firefox 'Wing Download Manager', stačí kliknout na ikonu rozšíření v prohlížeči.<br><br>Pokud jste toto rozšíření ještě nenainstalovali, stáhněte si jej z webu Firefox Add-ons: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "Je vyžadováno dvoufaktorové ověřování (TOTP)", str_verify = "Ověřit",@@ -271,6 +271,10 @@ edit_office_files = "Pro zobrazení/úpravu souborů Microsoft Word, Excel a PowerPoint můžete použít rozšíření Google Chrome 'Office Editing for Docs, Sheets & Slides'.<br><br>Pokud jste toto rozšíření ještě nenainstalovali, stáhněte si ho z Internetového obchodu Chrome: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "Náhled videa", scan_qrcode = "Naskenujte nebo klikněte na QR kód pro stažení",+str_theme_label = "Téma:",+str_theme_modern = "Moderní",+str_theme_classic = "Klasický",+str_copied = "Zkopírováno", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "Chyba: čeká na další operaci, zkuste to prosím později" RESULT_STR[-11] = "Chyba: nedostatek přístupových práv, nelze vytvořit podsložku" RESULT_STR[1] = "V provozu, úspěch!"+RESULT_STR[0] = "V provozu, úspěch!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "Přihlášení se nezdařilo: jméno nebo heslo nenalezeno"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "Přihlášení se nezdařilo: Windows Authentication cannot work when Windows Guest account enabled" LOGINERROR_STR[-15] = "Přihlášení se nezdařilo: exceeded the max user accounts which current version allows" LOGINERROR_STR[1] = "Přihlášení proběhlo úspěšně!"+LOGINERROR_STR[0] = "Přihlášení proběhlo úspěšně!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "Změna hesla se nezdařila: změna hesla není povolena"

Analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be mostly cosmetic or functional improvements. Here's the analysis:

1. Vulnerability Existed: no
   No security vulnerability found [File] webclient/language/czech.html [Lines] 50
   Old Code: create_submit = "   OK   ",
   Fixed Code: create_submit = " OK ",
   (This is just whitespace/formatting change)

2. Vulnerability Existed: no
   No security vulnerability found [File] webclient/language/czech.html [Lines] 171
   Old Code: str_search_tip = "Prosím vložte klíčové slovo pro hledání!",
   Fixed Code: str_search_tip = "Prosím vložte klíčové slovo pro hledání",
   (Minor text change, removed exclamation mark)

3. Vulnerability Existed: no
   No security vulnerability found [File] webclient/language/czech.html [Lines] 253
   Old Code: download_multiple_files2 with old Firefox addon URL
   Fixed Code: download_multiple_files2 with new Firefox addon URL
   (Just a URL update for a browser extension)

4. Vulnerability Existed: no
   No security vulnerability found [File] webclient/language/czech.html [Lines] 271-274, 286, 290, 304, 309
   Old Code: Missing some string definitions and result codes
   Fixed Code: Added new string definitions and result codes
   (Added new functionality/translations, not security-related)

The changes appear to be:
1. UI/string formatting improvements
2. Updated extension URLs
3. Added new translation strings
4. Added new status code mappings

No security vulnerabilities were identified in these changes. The modifications seem focused on improving user experience and maintaining current functionality rather than addressing security issues.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/help/english/zoom_index.js+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/help/english/zoom_index.js@@ -11,18 +11,18 @@ 	"bool 0 78 124 17 18 72 30 140 126 39 47 48 67 174 30", 	"true 0 40 108 13 26 12 16 24 65 17 18 72 30 120 126 39 54 50 67 18 20", 	"administrator 0 101 250 4 10 8 6 89 28 7 10 16 16 10 16 45 10 1",-	"login 0 40 100 4 10 8 6 33 34 7 33 51 9 33 20 12 60 47 14 78 54 17 12 6 30 18 32 43 18 20 49 18 12 59 10 16 62 18 6",+	"login 0 40 100 4 10 8 6 33 34 7 33 51 9 33 20 12 60 47 14 78 54 17 12 6 30 18 32 43 18 20 49 18 24 59 10 16 62 18 6", 	"successful 0 18 68 1 10 8 14 18 18 17 8 64", 	"otherwise 0 47 108 14 26 50 17 18 72 30 89 62 39 60 60 59 10 16 67 18 20", 	"false 0 40 108 17 18 72 30 120 126 37 10 16 39 47 48 67 18 20", 	"remarks 0 108 126 17 103 120 29 84 126 30 163 126 39 108 126 67 120 30",-	"check 0 26 96 2 10 16 3 10 8 5 10 16 7 10 4 14 47 22 15 18 6 17 4 8 22 10 1 23 26 25 27 10 64 30 26 14 36 10 1 39 18 48 47 54 30 49 10 4 67 18 20",+	"check 0 26 96 2 10 16 3 10 8 5 10 16 7 10 4 14 47 22 15 18 6 17 4 8 22 10 1 23 26 25 27 10 64 30 26 14 36 10 1 39 18 48 47 54 30 49 10 8 67 18 20", 	"administrator's 0 33 120 37 18 32", 	"c_checkadminip 0 10 64", 	"strip 0 26 44",-	"the 0 124 62 1 144 110 2 26 5 3 104 63 4 84 56 5 26 14 6 144 126 7 156 63 8 124 127 9 124 62 10 54 54 11 26 18 12 198 127 13 66 120 14 208 126 15 108 63 16 108 59 17 160 126 18 33 23 19 84 62 20 84 63 21 99 127 22 26 21 23 60 63 24 124 63 25 132 63 26 40 31 27 134 63 28 136 63 29 163 126 30 206 126 31 10 2 32 33 14 33 66 50 34 72 50 36 116 127 37 108 48 38 124 127 39 148 126 40 40 14 41 94 62 42 40 35 43 116 63 44 99 127 45 10 16 46 187 127 47 136 62 48 72 63 49 78 31 50 18 10 51 112 94 52 33 23 53 94 60 54 99 127 55 47 60 56 10 1 57 40 30 58 94 63 59 33 42 60 40 15 61 124 63 62 99 63 63 54 59 64 40 16 65 72 63 66 40 23 67 192 62",+	"the 0 124 62 1 144 110 2 26 5 3 104 63 4 84 56 5 26 14 6 144 126 7 156 63 8 124 127 9 124 62 10 54 54 11 26 18 12 198 127 13 66 120 14 208 126 15 108 63 16 108 59 17 160 126 18 33 23 19 84 62 20 84 63 21 99 127 22 26 21 23 60 63 24 124 63 25 132 63 26 40 31 27 134 63 28 136 63 29 163 126 30 206 126 31 10 2 32 33 14 33 66 50 34 72 50 36 116 127 37 108 48 38 124 127 39 148 126 40 40 14 41 94 62 42 40 35 43 116 63 44 99 127 45 10 16 46 187 127 47 136 62 48 72 63 49 84 31 50 18 10 51 112 94 52 33 23 53 94 60 54 99 127 55 47 60 56 10 1 57 40 30 58 94 63 59 33 42 60 40 15 61 124 63 62 99 63 63 54 59 64 40 16 65 72 63 66 40 23 67 192 62", 	"client 0 33 44 9 10 8 10 18 12 12 18 18 20 18 18 27 33 15 36 18 2 38 26 56 42 10 4 43 26 33 44 26 12 46 26 6 47 33 20 49 33 24 58 66 55 60 10 16 62 33 12 65 26 18 67 10 16",-	"when 0 26 36 1 18 36 3 18 17 5 10 2 6 10 32 7 10 32 8 10 4 9 33 58 10 26 14 12 10 64 14 18 40 16 26 33 17 137 14 20 18 32 23 10 2 27 10 1 28 10 8 30 10 2 36 33 28 37 10 32 38 10 32 39 26 12 43 10 1 44 33 56 47 18 18 49 54 30 53 10 4 59 10 16 62 26 28 65 18 18 67 18 10",+	"when 0 26 36 1 18 36 3 18 17 5 10 2 6 10 32 7 10 32 8 10 4 9 33 58 10 26 14 12 10 64 14 18 40 16 26 33 17 137 14 20 18 32 23 10 2 27 10 1 28 10 8 30 10 2 36 33 28 37 10 32 38 10 32 39 26 12 43 10 1 44 33 56 47 18 18 49 60 30 53 10 4 59 10 16 62 26 28 65 18 18 67 18 10", 	"banned 0 26 36 9 10 2 17 48 14 24 10 32 25 10 32 61 10 32", 	"c_adminlogout 0 10 32", 	"strsessionid 0 10 32",@@ -48,7 +48,7 @@ 	"formatted 0 40 26 17 33 56 30 72 30", 	"refuse 0 26 18 4 10 16 6 10 4 12 104 25 17 15 16 25 10 16 30 33 16 33 10 16 34 10 8 64 10 8", 	"domain 0 18 16 1 26 4 6 33 8 7 84 30 8 8 128 9 16 128 10 22 160 12 163 95 13 10 16 14 52 152 15 15 192 16 8 128 17 140 254 18 40 209 19 64 227 20 38 140 21 54 248 23 26 38 24 35 240 26 16 128 27 22 144 28 10 4 29 99 112 30 26 16 31 16 130 32 8 128 33 62 242 34 10 2 35 16 128 36 30 162 37 54 56 41 8 128 45 10 2 46 47 28 47 16 128 48 10 4 49 64 227 51 26 4 56 8 128 57 16 128 59 8 128 60 8 128 61 8 128 62 16 160 63 8 128 64 8 128 65 24 146 66 8 128 67 128 62",-	"all 0 33 30 1 10 16 3 10 8 5 10 4 7 10 8 8 18 32 9 10 2 14 47 86 15 33 34 17 21 112 19 10 32 24 33 24 25 40 24 26 10 4 27 10 4 28 33 7 30 89 126 33 18 48 34 10 32 36 18 96 37 10 16 38 18 4 40 10 8 41 33 12 44 10 32 53 18 34 58 10 8 59 18 2 61 18 24 63 10 16 64 10 16 65 18 4",+	"all 0 33 30 1 10 16 3 10 8 5 10 4 7 10 8 8 18 32 9 10 2 14 47 86 15 33 34 17 21 112 19 10 32 24 33 24 25 40 24 26 10 4 27 10 4 28 33 7 30 89 126 33 18 48 34 10 32 36 18 96 37 10 16 38 18 4 40 10 8 41 33 12 44 10 32 49 10 2 53 18 34 58 10 8 59 18 2 61 18 24 63 10 16 64 10 16 65 18 4", 	"domains 0 10 16 6 18 8 7 10 4 14 18 36 30 33 96 37 10 16 43 10 16 58 18 24", 	"can 0 10 16 1 54 110 2 10 16 3 10 32 4 18 40 5 18 34 6 54 94 7 54 59 8 60 55 9 33 26 10 10 2 12 18 36 13 18 32 14 84 62 15 10 64 16 40 59 19 26 48 20 60 60 22 26 26 23 10 2 24 66 62 25 60 46 26 33 46 27 18 72 28 33 80 30 18 96 32 26 10 33 26 48 34 33 48 36 33 92 37 47 96 38 47 30 39 18 4 40 33 44 41 18 5 44 18 12 46 18 68 47 47 54 48 10 32 49 33 28 50 10 4 51 10 1 53 26 84 55 10 16 56 10 4 57 10 16 58 108 127 59 18 5 60 18 24 61 66 63 62 40 42 63 26 13 64 33 48 65 18 65 67 134 42", 	"manage 0 10 16 1 10 32 5 10 1 20 26 12 58 10 16",@@ -89,12 +89,12 @@ 	"c_removeadminfailedip 0 10 4", 	"remove 0 10 4 17 4 8 39 10 32 55 10 16 63 10 2 67 18 10", 	"from 0 10 4 1 26 100 4 47 56 6 47 6 7 18 40 9 10 8 10 26 56 11 10 8 15 40 14 20 18 72 22 10 16 24 10 4 25 10 4 27 40 60 33 18 40 34 18 40 38 10 16 40 18 6 43 18 40 48 10 16 50 10 4 55 10 8 58 18 33 60 10 16 61 10 2 64 26 56 65 18 32 66 10 2",-	"for 0 10 4 1 26 70 3 10 32 4 26 50 5 26 50 6 47 46 7 60 62 8 33 26 9 26 50 10 33 12 12 158 127 13 18 96 14 112 126 15 18 24 16 26 35 17 75 126 19 33 22 20 54 14 21 10 8 22 26 7 23 10 4 24 18 24 25 26 56 26 10 16 27 47 30 28 40 39 29 26 42 30 40 58 32 18 8 33 26 52 34 33 52 35 10 4 36 54 87 37 94 120 38 33 49 39 60 6 40 26 56 41 33 32 42 10 4 43 10 1 46 54 115 47 26 36 48 18 18 49 78 62 50 18 16 51 40 86 53 10 32 54 10 16 55 18 48 58 72 47 59 18 36 60 10 4 61 26 52 62 40 5 63 10 16 64 33 50 65 66 31 66 18 20 67 120 62",+	"for 0 10 4 1 26 70 3 10 32 4 26 50 5 26 50 6 47 46 7 60 62 8 33 26 9 26 50 10 33 12 12 158 127 13 18 96 14 112 126 15 18 24 16 26 35 17 75 126 19 33 22 20 54 14 21 10 8 22 26 7 23 10 4 24 18 24 25 26 56 26 10 16 27 47 30 28 40 39 29 26 42 30 40 58 32 18 8 33 26 52 34 33 52 35 10 4 36 54 87 37 94 120 38 33 49 39 60 6 40 26 56 41 33 32 42 10 4 43 10 1 46 54 115 47 26 36 48 18 18 49 78 122 50 18 16 51 40 86 53 10 32 54 10 16 55 18 48 58 72 47 59 18 36 60 10 4 61 26 52 62 40 5 63 10 16 64 33 50 65 66 31 66 18 20 67 120 62", 	"system 0 10 4 7 10 16 8 10 32 14 18 32 30 91 242 37 10 32 39 10 8 45 10 2 53 26 48 58 10 8", 	"anti-hammer 0 10 4 9 18 4", 	"c_clearadminsession 0 10 4", 	"clear 0 10 4 30 10 32",-	"expired 0 10 4 40 10 4",+	"expired 0 10 4 40 10 4 49 10 2", 	"sessions 0 10 4 10 54 48 15 26 38 17 48 102 20 10 16 21 66 56 37 10 16 41 60 28 46 60 56 54 60 56 58 10 32 65 47 36", 	"c_changeadminlistener 0 10 4", 	"int 0 33 6 12 254 127 17 160 120 29 152 126 30 99 62 39 40 10 67 235 126",@@ -114,7 +114,7 @@ 	"mask 0 33 2 12 84 93 17 18 16 24 10 32 25 10 32 30 33 16 61 10 32 67 18 32", 	"c_setadminipmasklist 0 10 2", 	"tabipmask 0 10 2 17 4 16 30 10 16",-	"set 0 10 2 3 10 1 4 18 48 6 18 4 16 18 3 17 15 16 24 18 24 25 18 24 29 36 212 30 18 16 32 10 8 33 18 48 34 18 48 37 10 16 38 10 2 41 33 52 43 10 8 45 18 17 49 10 8 51 18 2 53 10 4 58 18 3 61 18 24 63 10 32 64 18 16 65 18 18",+	"set 0 10 2 3 10 1 4 18 48 6 18 4 16 18 3 17 15 16 24 18 24 25 18 24 29 36 212 30 18 16 32 10 8 33 18 48 34 18 48 37 10 16 38 10 2 41 33 52 43 10 8 45 18 17 49 10 16 51 18 2 53 10 4 58 18 3 61 18 24 63 10 32 64 18 16 65 18 18", 	"c_getadminlog 0 10 2", 	"log 0 47 2 1 10 8 2 34 198 3 64 79 4 10 32 6 10 4 14 18 16 15 18 5 16 10 16 17 24 32 18 34 198 19 85 255 30 47 16 52 34 198 53 76 124 59 18 5 62 10 16 64 10 32", 	"text 0 18 2 12 94 36 14 10 4 17 18 32 30 26 18 38 18 32 58 26 18",@@ -139,7 +139,7 @@ 	"windows 1 10 64 6 10 16 7 18 48 14 54 104 20 10 32 30 10 32 39 18 6 42 18 8 58 33 116", 	"command 1 66 124 7 10 32 16 10 16 17 15 4 20 26 34 37 10 64 38 26 8 62 10 8", 	"prompt 1 33 106",-	"you 1 84 126 2 10 16 3 18 33 4 33 56 5 33 38 6 99 60 7 99 127 8 72 119 9 33 26 10 10 2 12 10 64 13 26 34 14 140 126 15 10 64 16 47 59 19 33 56 20 66 60 22 47 31 23 33 46 24 47 58 25 40 58 26 33 58 27 66 126 28 60 59 30 10 2 33 26 48 34 33 48 36 47 58 37 60 96 38 47 22 39 18 4 40 54 54 41 26 38 43 18 48 44 40 12 45 10 8 47 40 26 48 26 48 49 26 14 50 26 14 51 66 62 53 33 100 55 18 20 56 10 4 58 108 63 59 26 17 60 10 2 61 40 25 62 47 7 63 10 32 64 33 48 65 40 83 66 18 40",+	"you 1 84 126 2 10 16 3 18 33 4 33 56 5 33 38 6 99 60 7 99 127 8 72 119 9 33 26 10 10 2 12 10 64 13 26 34 14 140 126 15 10 64 16 47 59 19 33 56 20 66 60 22 47 31 23 33 46 24 47 58 25 40 58 26 33 58 27 66 126 28 60 59 30 10 2 33 26 48 34 33 48 36 47 58 37 60 96 38 47 22 39 18 4 40 54 54 41 26 38 43 18 48 44 40 12 45 10 8 47 40 26 48 26 48 49 26 26 50 26 14 51 66 62 53 33 100 55 18 20 56 10 4 58 108 63 59 26 17 60 10 2 61 40 25 62 47 7 63 10 32 64 33 48 65 40 83 66 18 40", 	"run 1 26 98 16 10 32 36 10 2 42 10 32 44 18 48 55 18 36 58 26 48", 	"commands 1 40 76", 	"scripts 1 33 70 37 33 96 55 10 32",@@ -153,7 +153,7 @@ 	"and 1 72 62 4 26 10 5 10 16 6 66 99 7 99 63 8 78 59 9 26 38 12 47 86 13 26 32 14 78 126 15 54 57 16 18 9 17 8 64 19 10 32 20 26 19 21 10 32 22 26 22 23 33 58 24 40 6 25 40 6 27 26 36 28 89 119 30 10 64 32 10 4 33 26 10 34 26 10 35 26 18 36 54 62 37 78 112 38 40 38 39 26 6 40 26 42 41 26 14 43 58 126 45 10 4 46 26 65 47 10 16 48 10 4 49 10 4 50 10 1 51 33 112 53 26 36 55 10 4 58 94 126 60 10 4 61 40 7 62 33 42 63 10 8 64 26 10 65 10 64 66 10 4 67 58 122", 	"web-based 1 40 44 7 10 16 58 26 48", 	"internal 1 10 32",-	"this 1 33 48 2 10 4 3 18 24 5 26 24 6 26 44 7 18 36 9 10 32 10 18 34 11 10 4 13 18 40 14 18 34 15 18 6 16 10 1 17 33 110 18 10 8 19 10 4 20 47 30 21 26 56 24 26 48 25 10 32 27 40 103 28 54 24 29 26 44 30 18 24 31 10 4 33 10 32 36 18 40 37 10 32 38 33 112 39 18 4 40 10 1 41 33 13 44 33 50 46 89 63 47 10 16 48 47 30 49 47 45 51 26 18 52 10 8 54 26 56 55 18 8 58 33 50 59 47 53 61 33 48 62 72 61 63 10 16 64 26 32 65 18 18 67 54 14",+	"this 1 33 48 2 10 4 3 18 24 5 26 24 6 26 44 7 18 36 9 10 32 10 18 34 11 10 4 13 18 40 14 18 34 15 18 6 16 10 1 17 33 110 18 10 8 19 10 4 20 47 30 21 26 56 24 26 48 25 10 32 27 40 103 28 54 24 29 26 44 30 18 24 31 10 4 33 10 32 36 18 40 37 10 32 38 33 112 39 18 4 40 10 1 41 33 13 44 33 50 46 89 63 47 10 16 48 47 30 49 47 57 51 26 18 52 10 8 54 26 56 55 18 8 58 33 50 59 47 53 61 33 48 62 72 61 63 10 16 64 26 32 65 18 18 67 54 14", 	"machine 1 10 32 27 10 4 28 26 42 37 10 64 42 10 32 43 18 34", 	"that 1 26 44 5 10 4 6 26 24 7 18 34 8 10 16 10 18 16 13 10 64 17 8 8 21 26 56 24 10 32 25 10 32 28 10 16 36 10 32 43 10 2 44 10 4 45 10 8 46 33 56 51 10 4 54 26 56 55 10 16 57 10 16 58 10 64 61 10 32 65 18 32", 	"installed 1 10 32 7 10 1 30 18 32 39 10 32",@@ -161,7 +161,7 @@ 	"useful 1 18 40", 	"are 1 33 58 4 10 4 7 10 2 8 10 4 14 10 32 15 10 16 22 10 2 24 10 32 25 10 32 26 10 16 27 18 32 28 10 8 32 10 32 33 10 8 34 10 8 35 10 16 36 18 8 37 10 32 38 18 4 41 10 64 42 10 16 43 10 32 51 26 2 53 10 4 61 10 32 63 10 1 64 10 8 67 10 32", 	"running 1 10 32 21 10 32 54 10 32",-	"without 1 10 32 14 10 32 35 10 32 42 10 1 49 18 12 58 10 2 63 10 8",+	"without 1 10 32 14 10 32 35 10 32 42 10 1 49 18 24 58 10 2 63 10 8", 	"gui 1 10 32", 	"don't 1 10 32 43 10 16", 	"want 1 10 32 5 10 16 7 10 8 14 40 100 16 10 2 20 10 16 26 10 8 28 10 2 37 18 32 40 10 4 41 10 32 47 10 8 48 10 32 55 10 4 62 18 5 63 10 32 65 10 1 66 10 32",@@ -183,12 +183,12 @@ 	"sure 1 10 16 22 10 2 28 18 16 40 10 1", 	"how 1 10 16 36 10 4 42 10 4 47 10 2 58 10 32", 	"--help 1 18 16",-	"will 1 26 28 3 33 21 4 18 48 5 10 4 6 33 36 7 40 106 8 18 34 9 54 62 10 33 14 12 10 64 14 54 94 15 10 2 16 40 39 17 8 8 19 26 44 20 26 50 22 10 8 25 18 16 27 40 23 28 47 14 36 10 32 37 10 64 38 10 32 40 26 6 41 33 46 43 10 2 44 33 56 47 18 20 48 18 24 49 33 7 51 26 28 53 33 60 55 18 8 57 10 16 58 18 12 60 26 14 62 26 10 65 33 18 66 10 4 67 26 42",+	"will 1 26 28 3 33 21 4 18 48 5 10 4 6 33 36 7 40 106 8 18 34 9 54 62 10 33 14 12 10 64 14 54 94 15 10 2 16 40 39 17 8 8 19 26 44 20 26 50 22 10 8 25 18 16 27 40 23 28 47 14 36 10 32 37 10 64 38 10 32 40 26 6 41 33 46 43 10 2 44 33 56 47 18 20 48 18 24 49 40 7 51 26 28 53 33 60 55 18 8 57 10 16 58 18 12 60 26 14 62 26 10 65 33 18 66 10 4 67 26 42", 	"see 1 18 20 7 10 1 14 18 18 15 10 32 16 10 8 17 15 32 20 10 16 67 18 10", 	"allowed 1 18 16 4 18 48 6 18 4 17 12 6 20 10 2 24 10 16 33 18 48 34 18 16 44 26 3 61 10 8 64 18 16 67 10 32", 	"options 1 18 16 7 10 32 15 10 16 17 12 88 19 10 2 29 36 236 30 18 32 32 10 16 40 10 4 63 10 16", 	"follows 1 10 16",-	"show 1 10 16 12 60 45 38 10 16 49 10 4 62 10 8 67 33 36",+	"show 1 10 16 12 60 45 38 10 16 49 10 8 62 10 8 67 33 36", 	"message 1 10 16 12 33 45 17 4 4 20 26 16 26 10 2 46 18 64 47 10 2 67 18 36", 	"--username 1 10 16", 	"arg 1 40 16",@@ -209,7 +209,7 @@ 	"--ssl 1 10 16", 	"connection 1 18 8 10 29 204 12 33 45 14 18 8 17 15 64 23 10 8 28 10 8 33 10 16 36 10 1 37 10 8 48 10 1 64 10 8 65 26 82 67 10 32", 	"note 1 40 8 12 99 100 13 10 2 14 18 80 22 10 4 28 10 16 38 18 24 51 10 32 67 54 32",-	"after 1 10 8 7 10 4 10 10 2 13 10 16 14 33 22 22 10 8 23 10 4 28 10 8 38 10 1 40 18 36 46 10 4 49 10 2 55 18 8 58 10 32",+	"after 1 10 8 7 10 4 10 10 2 13 10 16 14 33 22 22 10 8 23 10 4 28 10 8 38 10 1 40 18 36 46 10 4 49 10 4 55 18 8 58 10 32", 	"please 1 10 8 5 10 16 12 10 64 14 33 108 22 18 5 23 10 16 26 10 2 28 10 16 40 26 19 51 10 8 58 10 1", 	"following 1 10 8 6 10 64 7 10 32 9 10 8 14 18 8 19 10 16 28 10 16 42 10 16 62 10 32", 	"admin12345 1 10 8",@@ -235,9 +235,9 @@ 	"appear 1 10 4", 	"right 1 10 4 7 10 8 22 10 2 24 10 2 25 10 2 28 10 2 61 10 2", 	"userlist 1 10 4 37 18 32 67 18 4",-	"user 1 10 4 6 41 200 7 33 4 8 10 1 9 60 60 10 33 48 12 128 119 13 33 98 14 160 126 15 18 4 16 10 1 17 79 78 24 10 1 28 10 2 32 54 26 33 10 2 37 26 32 38 10 8 41 48 231 45 10 2 46 54 6 47 10 16 49 33 16 58 33 28 59 54 245 60 26 196 61 54 248 62 85 253 63 60 222 64 54 240 65 67 236 66 14 192 67 166 252",+	"user 1 10 4 6 41 200 7 33 4 8 10 1 9 60 60 10 33 48 12 128 119 13 33 98 14 160 126 15 18 4 16 10 1 17 79 78 24 10 1 28 10 2 32 54 26 33 10 2 37 26 32 38 10 8 41 48 231 45 10 2 46 54 6 47 10 16 49 47 52 58 33 28 59 54 245 60 26 196 61 54 248 62 85 253 63 60 222 64 54 240 65 67 236 66 14 192 67 166 252", 	"apart 1 10 4",-	"also 1 10 2 4 18 18 6 18 6 7 10 4 8 18 20 9 18 18 14 10 2 16 10 8 19 10 16 24 10 4 25 10 2 27 18 68 28 18 48 33 10 2 34 10 2 35 10 2 37 18 32 38 26 6 44 10 8 49 10 8 55 10 4 58 60 63 61 10 2 64 10 2",+	"also 1 10 2 4 18 18 6 18 6 7 10 4 8 18 20 9 18 18 14 10 2 16 10 8 19 10 16 24 10 4 25 10 2 27 18 68 28 18 48 33 10 2 34 10 2 35 10 2 37 18 32 38 26 6 44 10 8 49 10 16 55 10 4 58 60 63 61 10 2 64 10 2", 	"here 1 10 2 2 10 16 3 18 33 5 10 32 7 10 16 13 10 64 15 10 32 18 10 8 19 10 32 20 10 8 23 10 8 26 10 16 28 10 1 37 10 32 44 10 32 52 10 8 53 18 68 65 10 32", 	"there 1 10 2 8 10 4 12 10 64 14 33 18 15 10 16 37 10 32 53 10 4", 	"lots 1 10 2 8 10 4",@@ -279,10 +279,10 @@ 	"using 3 10 32 9 10 32 14 40 52 20 18 32 24 26 38 25 26 38 27 10 16 36 26 48 37 18 96 38 10 32 41 40 13 58 18 6 61 26 18", 	"stored 3 18 20 9 10 32 13 10 32 14 10 32 19 18 34 38 26 6 53 10 4", 	"hash 3 18 24 9 18 32 39 18 64",-	"option 3 18 24 5 18 18 6 33 56 7 10 4 8 10 64 9 10 32 10 10 2 14 10 8 15 18 6 19 10 4 20 10 16 23 18 24 27 33 7 28 10 8 29 134 126 32 10 8 36 26 3 38 10 32 41 10 1 43 18 24 44 26 48 45 10 1 47 10 16 48 10 4 49 10 4 59 18 48 62 47 60 65 18 18",-	"disabled 3 10 16 9 10 32 15 10 4 27 10 2 62 18 16",+	"option 3 18 24 5 18 18 6 33 56 7 10 4 8 10 64 9 10 32 10 10 2 14 10 8 15 18 6 19 10 4 20 10 16 23 18 24 27 33 7 28 10 8 29 134 126 32 10 8 36 26 3 38 10 32 41 10 1 43 18 24 44 26 48 45 10 1 47 10 16 48 10 4 49 10 8 59 18 48 62 47 60 65 18 18",+	"disabled 3 10 16 9 10 32 15 10 4 27 10 2 49 18 6 62 18 16", 	"save 3 10 8 8 10 1 43 10 8 58 10 1",-	"files 3 18 8 6 10 8 7 26 34 8 10 2 12 138 63 14 18 64 19 26 50 21 33 5 24 40 56 25 54 60 36 10 8 38 26 36 41 40 26 42 10 2 46 47 27 47 78 61 49 26 8 51 18 12 54 33 5 58 78 23 60 18 16 61 40 56 62 18 8 67 66 42",+	"files 3 18 8 6 10 8 7 26 34 8 10 2 12 138 63 14 18 64 19 26 50 21 33 5 24 40 56 25 54 60 36 10 8 38 26 36 41 40 26 42 10 2 46 47 27 47 78 61 49 26 24 51 18 12 54 33 5 58 78 23 60 18 16 61 40 56 62 18 8 67 66 42", 	"filename 3 18 12 8 10 16 12 33 25 16 10 8 17 8 16 19 26 48 24 10 16 30 26 24 46 10 4 51 10 16 53 18 16 58 10 2 61 10 16", 	"under 3 10 4 6 18 24 7 10 8 9 10 32 14 18 36 19 18 34 21 26 56 23 10 4 36 18 2 37 10 32 38 26 6 39 18 6 40 10 32 46 66 50 48 10 32 51 10 8 54 26 56 60 10 2 66 10 16", 	"supports 3 10 4 4 10 8 6 10 2 14 26 88 16 18 8 34 10 8 51 10 32 53 10 16 55 18 6 58 26 100",@@ -297,7 +297,7 @@ 	"4-digit 3 10 2 53 10 8", 	"value 3 10 2 4 10 2 6 10 2 10 10 2 12 60 45 13 10 8 14 10 8 17 4 16 20 33 19 29 134 126 33 10 4 34 10 4 35 10 4 39 18 2 53 10 8 64 10 2 67 33 36", 	"year 3 10 2 19 10 16 46 10 64 53 10 8",-	"e.g 3 10 2 4 26 4 6 18 2 14 10 8 33 26 12 34 26 12 35 26 24 48 18 4 53 10 8 64 26 4 67 10 32",+	"e.g 3 10 2 4 26 4 6 18 2 14 10 8 33 26 12 34 26 12 35 26 24 48 18 4 49 10 4 53 10 8 64 26 4 67 10 32", 	"2009 3 10 2 53 10 8", 	"maxsize 3 10 2 19 10 8 53 10 8", 	"longer 3 10 1 40 10 4 53 10 8",@@ -307,7 +307,7 @@ 	"admin_log_setting.htm 3 6 64", 	"setting 3 7 64 14 18 96 19 7 64 20 7 64 29 26 42 32 20 192 53 7 64 65 33 12", 	"rules 4 54 120 6 54 12 24 47 46 25 54 46 32 10 1 33 54 115 34 60 114 37 10 32 58 10 8 59 10 16 61 47 43 63 10 4 64 47 48 66 10 8 67 33 20",-	"allow 4 18 80 6 18 12 9 10 64 12 60 109 20 18 96 24 33 56 25 33 56 33 18 48 34 26 112 37 10 32 38 18 8 45 10 8 61 33 60 64 26 40 67 26 36",+	"allow 4 18 80 6 18 12 9 10 64 12 60 109 20 18 96 24 33 56 25 33 56 33 18 48 34 26 112 37 10 32 38 18 8 45 10 8 49 10 4 61 33 60 64 26 40 67 26 36", 	"deny 4 10 32 6 10 8 12 47 45 15 10 8 24 40 56 25 33 44 33 10 32 34 18 32 61 40 60 64 18 32 67 26 36", 	"any 4 54 50 6 78 111 24 26 28 25 26 20 33 47 62 34 47 62 35 33 38 37 10 32 42 10 1 47 10 32 50 10 2 51 10 16 59 10 8 61 26 20 62 18 34 64 47 42", 	"but 4 10 32 6 10 4 15 10 4 24 10 16 25 10 16 33 10 32 34 10 32 36 10 16 41 10 32 47 10 32 61 10 16 62 10 16 64 10 16",@@ -324,7 +324,7 @@ 	"connections 4 10 16 6 10 4 12 60 45 15 10 2 17 21 6 20 18 12 27 10 8 28 26 6 34 10 8 38 10 16 43 10 32 50 10 16 51 10 64 67 47 36", 	"remember 4 10 8 6 10 4", 	"whatever 4 10 8 6 10 4",-	"always 4 10 8 6 10 2 27 10 8",+	"always 4 10 8 6 10 2 27 10 8 49 10 4", 	"127.0.0.1 4 10 8 6 10 2 7 18 18 33 18 24 34 18 24 37 10 32 64 18 8", 	"supported 4 18 10 6 18 2 14 26 36 24 18 34 25 18 34 33 26 10 34 18 10 35 26 50 36 10 32 61 18 33 64 26 10", 	"wildcards 4 18 8 6 18 2 8 10 16 24 18 2 25 18 2 33 18 8 34 18 8 35 18 48 61 18 1 64 18 8",@@ -343,7 +343,7 @@ 	"xxx 4 10 2 6 10 2 33 10 4 34 10 4 35 10 4 64 10 4", 	"xxx.xxx 4 10 2 6 10 2 33 10 4 34 10 4 35 10 4 64 10 2", 	"xxx.xxx.xxx 4 10 2 6 10 2 33 10 4 34 10 4 35 10 4 64 10 2",-	"valid 4 10 2 6 10 2 30 33 12 33 10 4 34 10 4 35 10 4 64 10 2",+	"valid 4 10 2 6 10 2 30 33 12 33 10 4 34 10 4 35 10 4 49 10 2 64 10 2", 	"192.168 4 10 2 6 10 2 33 10 4 34 10 4 35 10 4 64 10 2", 	"represents 4 18 2 6 26 3 33 18 2 34 18 2 35 18 6 64 18 2", 	"192.168.0.0 4 26 2 6 26 2 33 26 2 34 26 2 35 26 2 64 26 2",@@ -368,7 +368,7 @@ 	"certificates 5 10 1 20 10 8 51 10 16", 	"manager 5 10 1 14 10 8 16 26 192 20 26 14 23 18 2 28 21 224 36 10 2 37 10 64 45 10 4 46 10 64 48 26 224 50 20 192 51 20 192 58 26 20", 	"admin_setting_listener.htm 5 6 64",-	"account 6 18 80 7 40 6 9 10 8 10 26 48 12 60 86 13 18 34 14 89 54 15 18 4 17 15 70 23 10 4 32 10 16 37 18 32 41 18 12 48 10 2 58 10 4 59 10 16 61 10 16 62 47 113 63 18 48 65 33 36 67 72 60",+	"account 6 18 80 7 40 6 9 10 8 10 26 48 12 60 86 13 18 34 14 89 54 15 18 4 17 15 70 23 10 4 32 10 16 37 18 32 41 18 12 48 10 2 49 10 4 58 10 4 59 10 16 61 10 16 62 47 113 63 18 48 65 33 36 67 72 60", 	"administrate 6 18 72 58 18 48", 	"unique 6 10 64 7 10 8 62 10 32", 	"contain 6 10 64 9 10 8 14 10 4 62 10 32",@@ -414,7 +414,7 @@ 	"launch 6 18 16 7 26 48", 	"package 6 10 16 7 10 32", 	"wingftpserver.exe 6 10 16 7 10 32",-	"via 6 18 16 9 10 32 13 10 32 49 26 10 58 18 16 67 18 10",+	"via 6 18 16 9 10 32 13 10 32 49 26 26 58 18 16 67 18 10", 	"sudo 6 18 16 7 10 32", 	"etc 6 10 16 42 10 4", 	"init.d 6 10 16",@@ -462,7 +462,7 @@ 	"double-clicking 7 10 16", 	"tray 7 10 16", 	"desktop 7 10 16",-	"created 7 33 28 17 12 4 30 18 24 46 10 4 47 10 4 51 10 4",+	"created 7 33 28 17 12 4 30 18 24 46 10 4 47 10 4 49 10 2 51 10 4", 	"creating 7 18 20 13 10 64 30 18 24 58 10 1", 	"has 7 18 8 10 10 8 14 33 18 17 65 14 24 10 1 25 10 1 28 10 8 33 10 2 34 10 2 36 10 4 37 18 96 40 10 4 54 10 32 58 10 2 65 10 16", 	"been 7 18 8 10 10 8 14 18 18 17 53 6 21 10 16 54 10 32 65 10 16",@@ -554,12 +554,12 @@ 	"uploaded 8 10 2 12 33 43 16 18 40 17 12 6 21 18 3 23 10 2 41 33 28 46 40 25 47 10 16 54 18 3", 	"accounts 8 10 1 13 10 64 15 10 4 32 10 16 62 10 16 65 18 12", 	"html 8 10 1 30 18 96",-	"status 8 8 128 15 8 128 18 8 128 19 10 1 21 32 192 31 8 128 52 8 128 54 32 192 56 8 128",+	"status 8 8 128 15 8 128 18 8 128 19 10 1 21 32 192 31 8 128 49 10 4 52 8 128 54 32 192 56 8 128", 	"__report.htm 8 6 64", 	"unix 9 18 96 14 10 32", 	"symbolic 9 18 96", 	"links 9 18 96",-	"disallow 9 10 32 38 10 8",+	"disallow 9 10 32 38 10 8 49 10 2", 	"hashed 9 10 32", 	"salting 9 10 32", 	"salt 9 26 48",@@ -616,7 +616,7 @@ 	"per 10 33 48 12 33 45 17 21 6 41 10 1 65 33 56 67 60 46", 	"same 10 10 32 13 10 16 15 18 6 17 24 38 28 26 3 47 10 4 63 18 48", 	"specifies 10 18 16 65 18 32",-	"maximum 10 18 16 17 48 6 20 18 3 38 18 1 41 26 5 49 10 8 57 10 16 65 47 60",+	"maximum 10 18 16 17 48 6 20 18 3 38 18 1 41 26 5 49 10 16 57 10 16 65 47 60", 	"concurrent 10 18 16 21 10 32 27 10 8 46 18 48 54 10 32 65 18 32", 	"opened 10 10 16 27 10 16 65 10 32", 	"automatic 10 18 8 37 10 64 65 18 34",@@ -668,7 +668,7 @@ 	"such 12 18 68 13 10 32 16 10 2 30 40 34 32 10 1 37 10 64 39 10 2 42 10 8 51 10 2 63 10 4", 	"2009-09-09 12 18 68 39 10 2", 	"maxdownloadspeed 12 33 77",-	"speed 12 60 45 13 10 32 17 8 8 21 40 42 38 26 33 49 89 120 54 33 14 65 33 28 67 72 52",+	"speed 12 60 45 13 10 32 17 8 8 21 40 42 38 26 33 49 89 112 54 33 14 65 33 28 67 72 52", 	"maxuploadspeed 12 33 45", 	"upload 12 112 63 16 10 1 17 15 14 21 54 35 38 18 1 41 40 50 46 66 31 49 66 57 54 54 39 58 26 5 60 10 16 65 33 12 67 84 62", 	"maxconnection 12 33 45",@@ -745,7 +745,7 @@ 	"sshauthmethod 12 18 18", 	"both 12 18 18 67 10 16", 	"enableweblink 12 18 18",-	"link 12 33 18 40 10 4 46 10 2 49 47 30 58 33 3 62 18 4 67 18 16",+	"link 12 33 18 40 10 4 46 10 2 49 47 26 58 33 3 62 18 4 67 18 16", 	"enableuplink 12 18 18", 	"request 12 18 18 49 26 10 51 10 8 58 18 3 62 18 4 67 10 16", 	"enabletwofactor 12 18 18",@@ -1190,7 +1190,7 @@ 	"nbansec 17 4 8", 	"added 17 4 8 24 10 4 25 10 4 30 18 12 60 10 8 61 10 2", 	"c_deltempblockip 17 4 8",-	"removed 17 4 8 24 10 4 25 10 4 46 10 4 61 10 2",+	"removed 17 4 8 24 10 4 25 10 4 46 10 4 49 10 4 61 10 2", 	"c_getuserabsolutepath 17 4 8", 	"strnowdir 17 4 8", 	"c_getchartdata 17 4 8",@@ -1212,7 +1212,7 @@ 	"nenableupnp 17 4 8", 	"nminpasvport 17 4 8", 	"nmaxpasvport 17 4 8",-	"fixed 17 4 8 27 26 32 37 10 32 43 10 16 49 10 2",+	"fixed 17 4 8 27 26 32 37 10 32 43 10 16 49 10 1", 	"url 17 4 8 37 60 40 49 26 3", 	"resolve 17 8 8", 	"internet 17 8 8 27 18 32 43 10 32",@@ -1657,7 +1657,7 @@ 	"member 32 18 6 63 18 5", 	"inherited 32 10 4 63 10 8", 	"membership 32 10 2 63 10 8",-	"still 32 10 2",+	"still 32 10 2 49 10 2", 	"overridden 32 10 2 63 10 8", 	"acquire 32 10 1 63 10 4", 	"numerous 32 10 1",@@ -1857,7 +1857,7 @@ 	"'chmod 38 10 8", 	"chmod 38 10 8", 	"modification 38 18 8",-	"weblink 38 18 4 46 18 4 49 47 21 58 10 2",+	"weblink 38 18 4 46 18 4 49 60 31 58 10 2", 	"uploadlink 38 18 4", 	"bookmark_db 38 10 2", 	"working 38 18 2",@@ -1874,7 +1874,7 @@ 	"where 39 10 32 51 26 2", 	"c_isdir 39 10 32", 	"strpath 39 54 48",-	"existing 39 10 32 50 10 2 51 26 48",+	"existing 39 10 32 49 10 4 50 10 2 51 26 48", 	"c_mkdir 39 10 32", 	"c_removefiledir 39 10 32", 	"c_movefiledir 39 10 32",@@ -2125,9 +2125,12 @@ 	"associated 48 10 2 51 10 32 65 18 4", 	"smtp_config_manager.htm 48 6 64", 	"requesting 49 10 8",-	"subfolders 49 18 4 66 18 24",-	"maintained 49 10 2",-	"overwritten 49 10 2",+	"subfolders 49 18 8 66 18 24",+	"maintained 49 10 4",+	"overwritten 49 10 4",+	"regardless 49 10 4",+	"weblinks 49 10 2",+	"him 49 10 2", 	"overwrite 49 18 2", 	"speed_limit.htm 49 6 64", 	"ssh_key_manager.htm 50 6 64",

Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be minor text/number adjustments in a help file (zoom_index.js) rather than security-related code changes. 

Here's the analysis following your requested format:

Vulnerability Existed: no
No security vulnerability found in this help file update. The changes are textual/numerical adjustments in documentation strings.

The diff shows changes like:
- "login" string value modified from "...49 18 12..." to "...49 18 24..."
- "check" string value modified from "...49 10 4..." to "...49 10 8..."
- "the" string value modified from "...49 78 31..." to "...49 84 31..."
- "when" string value modified from "...49 54 30..." to "...49 60 30..."

These appear to be documentation formatting changes rather than security fixes. No actual code vulnerabilities are being addressed in this diff. The file appears to be a help/UI text file rather than functional code.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_domain_database.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_domain_database.html@@ -549,13 +549,13 @@ function testLDAP_result() { 	var result = xmlhttp.responseText;-	if(result == "0" || result == 0)-	{-		alert("<%=LANG['str_testldap_fail']%>");+	if(result == "1" || result == 1)+	{+		alert("<%=LANG['str_testldap_ok']%>"); 	} 	else 	{-		alert("<%=LANG['str_testldap_ok']%>");+		showMessagebox("<%=LANG['str_testldap_fail']%>","<table width='100%' height='100%' border='0' cellpadding='0' cellspacing='0' style='background-color:#E6E6E6;padding:8px;'><tr><td align='left'><img src='images/vista_warning.gif' align='absmiddle'><br><textarea readonly  style='width:430px;height:180px;border:0;background-color:#E6E6E6;word-break:keep-all;overflow:hidden;'>"+removeXSS(result)+"</textarea></td></tr><tr><td><button id='btn_submit' type='submit' onclick='top.closewindow();' class='button1'><span><em><%=LANG['button_submit']%></em></span></button>&nbsp;<button id='btn_cancel' onclick='top.closewindow();' class='button1'><span><em><%=LANG['button_cancel']%></em></span></button><br><br></td></tr></table>",null,450,300); 	} } </script>

Here's the analysis of the provided code diff:

1. Vulnerability Existed: yes
Cross-Site Scripting (XSS) Vulnerability [webadmin/admin_domain_database.html] [Lines 549-557]
[Old Code]
```
var result = xmlhttp.responseText;
if(result == "0" || result == 0)
{
    alert("<%=LANG['str_testldap_fail']%>");
}
else
{
    alert("<%=LANG['str_testldap_ok']%>");
}
```
[Fixed Code]
```
var result = xmlhttp.responseText;
if(result == "1" || result == 1)
{
    alert("<%=LANG['str_testldap_ok']%>");
}
else
{
    showMessagebox("<%=LANG['str_testldap_fail']%>","<table width='100%' height='100%' border='0' cellpadding='0' cellspacing='0' style='background-color:#E6E6E6;padding:8px;'><tr><td align='left'><img src='images/vista_warning.gif' align='absmiddle'><br><textarea readonly  style='width:430px;height:180px;border:0;background-color:#E6E6E6;word-break:keep-all;overflow:hidden;'>"+removeXSS(result)+"</textarea></td></tr><tr><td><button id='btn_submit' type='submit' onclick='top.closewindow();' class='button1'><span><em><%=LANG['button_submit']%></em></span></button>&nbsp;<button id='btn_cancel' onclick='top.closewindow();' class='button1'><span><em><%=LANG['button_cancel']%></em></span></button><br><br></td></tr></table>",null,450,300);
}
```

Key observations:
1. The fix adds XSS protection by using `removeXSS()` function when displaying the result in the textarea
2. The logic for success/failure conditions was inverted (0/1 values swapped)
3. The error message display was enhanced to show more details in a secure way
4. The vulnerability existed because the original code directly used untrusted input (responseText) without sanitization

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/tchinese.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/tchinese.html@@ -171,7 +171,7 @@ str_searchin = "搜尋位置", str_searchfor = "檔案名包含", str_searchfiles = "搜尋伺服器上的檔案",-str_search_tip = "請指定一個搜尋的關鍵字!",+str_search_tip = "請輸入檔案名稱進行搜尋", str_searching = "正在搜尋中...", str_searchfor_tip = "<b>例如:</b> faq.txt, *.mp3", str_user_quota = "磁碟配額",@@ -253,7 +253,7 @@ download_extension = "瀏覽器擴充程式", download_single_file = "要下載單個檔案, 您需要先點擊檔案名來選擇一個檔案", download_multiple_files = "要下載多個檔案或者資料夾, 您可以使用Google Chrome擴充程式 'Wing Download Manager', 只需在瀏覽器中點擊擴充程式的圖示即可.<br><br>如果您尚未安裝此擴充程式, 請從Chrome線上應用程式商店下载: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "要下載多個檔案或者資料夾, 您可以使用Firefox擴充程式 'Wing Download Manager', 只需在瀏覽器中點擊擴充程式的圖示即可<br><br>如果您尚未安裝此擴充程式, 請從Firefox Add-ons網站下载: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "要下載多個檔案或者資料夾, 您可以使用Firefox擴充程式 'Wing Download Manager', 只需在瀏覽器中點擊擴充程式的圖示即可<br><br>如果您尚未安裝此擴充程式, 請從Firefox Add-ons網站下载: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "需要兩步驗證 (TOTP)", str_verify = "校驗",@@ -271,6 +271,10 @@ edit_office_files = "要讀取/編輯Office檔案, 您可以使用Google Chrome擴充程式 'Office Editing for Docs, Sheets & Slides'.<br><br>如果您尚未安裝此擴充程式, 請從Chrome線上應用程式商店下载: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "影片預覽", scan_qrcode = "掃描或點擊二維碼即可下載",+str_theme_label = "主題：",+str_theme_modern = "現代",+str_theme_classic = "經典",+str_copied = "已複製", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "作業失敗: 另外一個作業正在進行，請稍後再試" RESULT_STR[-11] = "作業失敗: 沒有權限, 無法創建子資料夾" RESULT_STR[1] = "作業成功!"+RESULT_STR[0] = "作業成功!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "登入失敗: 帳號名和密码不匹配"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "登入失敗: 使用Windows驗證前, 請先禁用Windows Guest賬號" LOGINERROR_STR[-15] = "登入失敗: 已經超過當期版本允許的最大用戶數" LOGINERROR_STR[1] = "登入成功!"+LOGINERROR_STR[0] = "登入成功!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "變更密碼失敗: 不允許修改密碼"

Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily textual/UI improvements and additions. Here's the analysis:

1. Vulnerability Existed: no
   Textual Change [File] webclient/language/tchinese.html [Lines] 171
   [Old Code]
   str_search_tip = "請指定一個搜尋的關鍵字!",
   [Fixed Code]
   str_search_tip = "請輸入檔案名稱進行搜尋"

2. Vulnerability Existed: no
   URL Update [File] webclient/language/tchinese.html [Lines] 253
   [Old Code]
   download_multiple_files2 = "...<a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/'...
   [Fixed Code]
   download_multiple_files2 = "...<a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/'...

3. Vulnerability Existed: no
   New UI Strings Added [File] webclient/language/tchinese.html [Lines] 271-274
   [Old Code]
   (none)
   [Fixed Code]
   str_theme_label = "主題：",
   str_theme_modern = "現代",
   str_theme_classic = "經典",
   str_copied = "已複製",

4. Vulnerability Existed: no
   Success Status Codes Added [File] webclient/language/tchinese.html [Lines] 286, 290, 304, 309
   [Old Code]
   (none for status 0)
   [Fixed Code]
   RESULT_STR[0] = "作業成功!"
   LOGINERROR_STR[0] = "登入成功!"

The changes appear to be:
- Improved/updated text messages
- Updated extension URLs
- Added new UI strings for themes
- Added handling for status code 0 (success cases)
None of these changes indicate security fixes for vulnerabilities.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.