--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/english.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/english.html@@ -784,9 +784,9 @@ str_banip_tip = "Temporary IP Ban", left_graphs = "Graphs", str_online_sessions = "Online Sessions",-str_last_5min = "Last five minutes",-str_last_5hour = "Last five hours",-str_last_10day = "Last ten days",+str_last_5min = "Last 6 minutes",+str_last_5hour = "Last 6 hours",+str_last_10day = "Last 15 days", str_password_strength = "Strength", title_windowsauth = "Windows Authentication",@@ -999,6 +999,7 @@ str_ldap_timeout = "LDAP timeout", str_real_owner_group = "Show real owner/group in the file listing (Linux/Mac)", str_no_renegotiation = "Disallow client-initiated SSL/TLS renegotiation",+str_anonymous_weblink = "Always allow existing WebLink regardless of user status (e.g. disabled).", calendar_months = "'Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec'",

Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be either textual updates or feature additions rather than security patches. Here's the analysis:

1. Vulnerability Existed: no
   Time Period Updates [File] [Lines 784-786]
   Old Code:
   str_last_5min = "Last five minutes",
   str_last_5hour = "Last five hours",
   str_last_10day = "Last ten days",
   Fixed Code:
   str_last_5min = "Last 6 minutes",
   str_last_5hour = "Last 6 hours",
   str_last_10day = "Last 15 days",

2. Vulnerability Existed: no
   Feature Addition [File] [Line 999]
   Old Code: (no corresponding line)
   Fixed Code:
   str_anonymous_weblink = "Always allow existing WebLink regardless of user status (e.g. disabled).",

The changes are:
1. Adjusting time period labels (from 5 to 6 minutes/hours, and 10 to 15 days)
2. Adding a new configuration option for WebLink behavior

Neither change appears to address a security vulnerability. The WebLink addition might have security implications depending on implementation, but the diff doesn't show any vulnerability being fixed - it's just adding a new feature flag.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/webuploader/webuploader.css+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/webuploader/webuploader.css@@ -46,8 +46,8 @@ } #uploader .queueList {-	width: 95%;-    margin: 10px;+	width: 99%;+    margin: 20px 5px 5px 5px;     border: 3px dashed #e6e6e6; } #uploader .queueList.filled {

Based on the provided CSS diff, I don't see any security-related changes. The modifications appear to be purely stylistic/UI adjustments to the uploader component's layout and margins.

Analysis for each change:

1. First change:
    Vulnerability Existed: no
    Styling adjustment [File] webclient/webuploader/webuploader.css [Lines] 46-47
    [Old Code]
    width: 95%;
    margin: 10px;
    [Fixed Code]
    width: 99%;
    margin: 20px 5px 5px 5px;

2. Second change:
    Vulnerability Existed: no
    Border styling [File] webclient/webuploader/webuploader.css [Lines] 48
    [Old Code]
    border: 3px dashed #e6e6e6;
    [Fixed Code]
    (same line, no actual change - just context in diff)

These changes only affect the visual presentation of the upload queue list, modifying its width and margin spacing. There are no security implications in these CSS adjustments.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_license.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_license.html@@ -239,7 +239,7 @@ 			<div style="padding:5px;line-height:25px;"> 			<div id="license_info"> 			<span style="color:#0000FF">Wing FTP Server <%=c_GetVersion()%></span><br>-			<span style="color:#0000FF">Copyright 2024 by wftpserver.com ([email protected])</span><br>+			<span style="color:#0000FF">Copyright 2025 by wftpserver.com ([email protected])</span><br> 			<span style="color:#009900"><%=LANG["str_os_type"]%>:  <%=c_GetOsType()%></span><br> 			<%if nType <= LICENSE_CORPORATE then%> 			<span style="color:#009900"><%=LANG["str_edition"]%>: 

Based on the provided code diff, I don't see any security-related changes. The only modification is updating the copyright year from 2024 to 2025, which is purely a cosmetic/documentation change.

Answer:
    Vulnerability Existed: no
    No security vulnerability found [webadmin/admin_license.html] [Lines 239]
    [Old Code]
    <span style="color:#0000FF">Copyright 2024 by wftpserver.com ([email protected])</span><br>
    [Fixed Code]
    <span style="color:#0000FF">Copyright 2025 by wftpserver.com ([email protected])</span><br>

Additional Details:
    The change only updates the copyright year in the footer text. No security implications are present in this modification.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/help/english/settings.js+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/help/english/settings.js@@ -24,7 +24,7 @@ var OutputBasewordBufferSize = 0; var OutputVariantBufferSize = 0; var DictIDLen = 4;-var NumKeywords = 2789;+var NumKeywords = 2792; var NumVariants = 973; var NumPages = 68; var DictArrayCount = 0;

Based on the provided code diff, I'll analyze it for potential security vulnerabilities:

1. Vulnerability Existed: no
   No specific vulnerability [File: webadmin/help/english/settings.js] [Lines: 24]
   Old Code: var NumKeywords = 2789;
   Fixed Code: var NumKeywords = 2792;

Additional Details:
- The change appears to be a simple numerical update (from 2789 to 2792) of what seems to be a counter for keywords in a dictionary or help system.
- There are no security-related patterns in this change (no input validation, no authentication changes, no sensitive data handling).
- The modification doesn't involve any user input processing or system interaction that could lead to security issues.
- This is likely a maintenance update reflecting changes in the help system content rather than a security fix.

No security vulnerabilities were identified in this diff. The change is purely functional/numerical in nature.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/main.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/main.html@@ -668,7 +668,7 @@         </tr> 		<tr>  		<td align="center">-		  <a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2024 <b>wftpserver.com</b> All Rights Reserved+		  <a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2025 <b>wftpserver.com</b> All Rights Reserved 		</td> 		</tr>       </table>

Based on the provided code diff, here's the analysis following the required format:

Vulnerability Existed: no
[No security vulnerability found] [webadmin/main.html] [Lines 668]
[Old Code]
<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2024 <b>wftpserver.com</b> All Rights Reserved
[Fixed Code]
<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2025 <b>wftpserver.com</b> All Rights Reserved

Additional Details:
The change appears to be a simple copyright year update from 2024 to 2025 in the footer text. There are no security-related changes or vulnerabilities being addressed in this diff. The modification is purely cosmetic/legal in nature.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/help/english/admin_content_dyn.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/help/english/admin_content_dyn.html@@ -161,6 +161,6 @@ <script type="text/javascript"> parent.preloadicons('button_openbook.gif','button_closedbook.gif','button_topic.gif');</script>-<hr size="1" /><p><span style="font-size: 8px">© 2024 Wing FTP Server</span></p>+<hr size="1" /><p><span style="font-size: 8px">© 2025 Wing FTP Server</span></p> </body> </html>

Analysis of the provided code diff:

1. Vulnerability Existed: no
   No security vulnerability found [File] webadmin/help/english/admin_content_dyn.html [Lines] 161
   Old Code: <hr size="1" /><p><span style="font-size: 8px">© 2024 Wing FTP Server</span></p>
   Fixed Code: <hr size="1" /><p><span style="font-size: 8px">© 2025 Wing FTP Server</span></p>

The change appears to be a simple copyright year update with no security implications. No vulnerabilities were identified in this modification. The diff only shows a change in the displayed copyright year from 2024 to 2025, which is a routine maintenance update rather than a security fix.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/schinese.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/schinese.html@@ -784,9 +784,9 @@ str_banip_tip = "临时IP访问限制", left_graphs = "实时图表", str_online_sessions = "在线会话数",-str_last_5min = "最近五分钟",-str_last_5hour = "最近五小时",-str_last_10day = "最近十天",+str_last_5min = "最近6分钟",+str_last_5hour = "最近6小时",+str_last_10day = "最近15天", str_password_strength = "密码强度", title_windowsauth = "Windows 验证",@@ -999,6 +999,7 @@ str_ldap_timeout = "LDAP 超时时间", str_real_owner_group = "在文件列表中显示真实所有者/组 (Linux/Mac)", str_no_renegotiation = "禁止客户端发起的 SSL/TLS 重新协商",+str_anonymous_weblink = "无论用户状态如何（例如已禁用），始终允许已存在的WebLink.", calendar_months = "'一月','二月','三月','四月','五月','六月','七月','八月','九月','十月','十一月','十二月'",

Based on the provided code diff, I'll analyze it for potential security vulnerabilities:

1. Vulnerability Existed: not sure
    [Time Frame Changes] [webadmin/language/schinese.html] [Lines 784-786]
    [Old Code]
    str_last_5min = "最近五分钟",
    str_last_5hour = "最近五小时",
    str_last_10day = "最近十天",
    [Fixed Code]
    str_last_5min = "最近6分钟",
    str_last_5hour = "最近6小时",
    str_last_10day = "最近15天",
    [Note: This appears to be a UI/display change for time frames. While not directly a security fix, changing monitoring time frames could impact security monitoring capabilities.]

2. Vulnerability Existed: yes
    [Insecure WebLink Handling] [webadmin/language/schinese.html] [Lines 999]
    [Old Code]
    [No previous setting for WebLink handling]
    [Fixed Code]
    str_anonymous_weblink = "无论用户状态如何（例如已禁用），始终允许已存在的WebLink.",
    [Note: This addition suggests a security fix where previously disabled users' WebLinks might have been automatically disabled, but now there's explicit control over this behavior. The vulnerability would be related to improper access control for disabled users' resources.]

The most significant security-related change appears to be the addition of the WebLink handling setting, which addresses an access control issue for disabled users' shared links. The time frame changes might be related to security monitoring but don't appear to directly fix a vulnerability.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/turkish.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/turkish.html@@ -784,9 +784,9 @@ str_banip_tip = "Geçici IP Yasakla", left_graphs = "Grafikler", str_online_sessions = "Çevrimiçi Oturumlar",-str_last_5min = "Son beş dakika",-str_last_5hour = "Son beş saat",-str_last_10day = "Son on gün",+str_last_5min = "Son 6 dakika",+str_last_5hour = "Son 6 saat",+str_last_10day = "Son 15 gün", str_password_strength = "Güçlü", title_windowsauth = "Windows Kimlik Doğrulaması",@@ -1001,6 +1001,7 @@ str_ldap_timeout = "LDAP zaman aşımı", str_real_owner_group = "Dosya listesinde gerçek sahibi/grubu göster (Linux/Mac)", str_no_renegotiation = "İstemci tarafından başlatılan SSL/TLS yeniden müzakeresine izin verme",+str_anonymous_weblink = "Kullanıcı durumundan (örneğin devre dışı) bağımsız olarak her zaman mevcut WebLink'e izin verin.", calendar_months = "'Oca','Şub','Mar','Nis','May','Haz','Tem','Ağu','Eyl','Ekm','Kas','Ara'",

After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be either:
1. Simple text/translation updates (changing time periods from 5 to 6 minutes/hours and 10 to 15 days)
2. Adding a new configuration option for anonymous weblinks

Here's the structured response:

Vulnerability Existed: no
No security vulnerability found in the diff. Changes are either translation updates or feature additions.

The changes include:
1. Updated time period strings (5 to 6 minutes/hours, 10 to 15 days)
2. Added new configuration option str_anonymous_weblink for WebLink availability

None of these changes appear to address or introduce security vulnerabilities - they're either UI text modifications or new feature additions.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/french.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/french.html@@ -784,9 +784,9 @@ str_banip_tip = "Banir IP temporairement", left_graphs = "Graphs", str_online_sessions = "Session Actives",-str_last_5min = "Dernières 5 minutes",-str_last_5hour = "Dernières 5 heures",-str_last_10day = "Derniers 10 jours",+str_last_5min = "Dernières 6 minutes",+str_last_5hour = "Dernières 6 heures",+str_last_10day = "Derniers 15 jours", str_password_strength = "Strength", title_windowsauth = "Authentification Windows",@@ -999,6 +999,7 @@ str_ldap_timeout = "Délai d'expiration LDAP", str_real_owner_group = "Afficher le véritable propriétaire/groupe dans la liste des fichiers (Linux/Mac)", str_no_renegotiation = "Interdire la renégociation SSL/TLS initiée par le client",+str_anonymous_weblink = "Autoriser toujours le lien Web existant quel que soit le statut de l'utilisateur (par exemple, désactivé).", calendar_months = "'Jan','Fév','Mar','Avr','Mai','Jun','Jui','Aou','Sep','Oct','Nov','Dec'",

Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be either textual/translation updates or minor functional modifications without security implications.

Here's the analysis:

1. Vulnerability Existed: no
   Textual/Translation Updates [File] webadmin/language/french.html [Lines] 784-786
   [Old Code]
   str_last_5min = "Dernières 5 minutes",
   str_last_5hour = "Dernières 5 heures",
   str_last_10day = "Derniers 10 jours",
   
   [Fixed Code]
   str_last_5min = "Dernières 6 minutes",
   str_last_5hour = "Dernières 6 heures",
   str_last_10day = "Derniers 15 jours",

2. Vulnerability Existed: no
   New Feature Addition [File] webadmin/language/french.html [Lines] 999
   [Old Code]
   str_no_renegotiation = "Interdire la renégociation SSL/TLS initiée par le client",
   
   [Fixed Code]
   str_no_renegotiation = "Interdire la renégociation SSL/TLS initiée par le client",
   str_anonymous_weblink = "Autoriser toujours le lien Web existant quel que soit le statut de l'utilisateur (par exemple, désactivé).",

The changes are either:
1. Updating time period descriptions in French (5→6 minutes/hours, 10→15 days)
2. Adding a new string for a feature that allows web links to remain accessible regardless of user status

Neither change appears to address or introduce any security vulnerabilities. The changes are either cosmetic (translation improvements) or related to feature functionality.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/portuguese.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/portuguese.html@@ -50,7 +50,7 @@ rmdir_tip = "(Essa operacao removera todos os subdiretorios e arquivos!)", create_title = "Criar Nova Pasta", create_filename = "Nome da pasta",-create_submit = " &nbsp;&nbsp;OK &nbsp;&nbsp;",+create_submit = " OK ", create_cancel = " Cancelar ", goto_title = "Va para Diretorio", goto_path = "Caminho diretorio",@@ -171,7 +171,7 @@ str_searchin = "Procurar em", str_searchfor = "Procurar por", str_searchfiles = "Procurar arquivos no site",-str_search_tip = "Por favor digite a palavra chave para procurar por!",+str_search_tip = "Por favor digite a palavra chave para procurar por", str_searching = "Procurando agora...", str_searchfor_tip = "<b>Por exemplo:</b>faq.txt,*.mp3",@@ -253,7 +253,7 @@ download_extension = "Extensão do navegador", download_single_file = "Para baixar um único arquivo, você precisa selecionar um arquivo clicando em seu nome primeiro.", download_multiple_files = "Para baixar vários arquivos / pastas, você pode usar a extensão do Google Chrome 'Wing Download Manager', basta clicar no ícone da extensão no navegador.<br><br>Se você ainda não instalou essa extensão, baixe-a na Chrome Web Store: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "Para baixar vários arquivos / pastas, você pode usar a extensão do Firefox 'Wing Download Manager', basta clicar no ícone da extensão no navegador.<br><br>Se você ainda não instalou essa extensão, baixe-o no site Firefox Add-ons: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "Para baixar vários arquivos / pastas, você pode usar a extensão do Firefox 'Wing Download Manager', basta clicar no ícone da extensão no navegador.<br><br>Se você ainda não instalou essa extensão, baixe-o no site Firefox Add-ons: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "Autenticação de dois fatores (TOTP)", str_verify = "Verificar",@@ -271,6 +271,10 @@ edit_office_files = "Para visualizar/editar arquivos do Microsoft Word, Excel e PowerPoint, você pode usar a extensão do Google Chrome 'Office Editing for Docs, Sheets & Slides'.<br><br>Se você ainda não instalou essa extensão, baixe-a na Chrome Web Store: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "Pré-visualização do vídeo", scan_qrcode = "Escaneie ou clique no código QR para baixar",+str_theme_label = "Tema:",+str_theme_modern = "Moderno",+str_theme_classic = "Clássico",+str_copiado = "Copiado", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "Erro: outra operação está pendente, tente mais tarde" RESULT_STR[-11] = "Erro: Sem permissao, não consigo criar subpasta" RESULT_STR[1] = "Funcionando!"+RESULT_STR[0] = "Funcionando!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "Conexao falhou: Nome de usuario e senha nao conferem"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "Conexao falhou: Windows Authentication cannot work when Windows Guest account enabled" LOGINERROR_STR[-15] = "Conexao falhou: exceeded the max user accounts which current version allows" LOGINERROR_STR[1] = "Conexao Bem Sucedida!"+LOGINERROR_STR[0] = "Conexao Bem Sucedida!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "Escolha de senha falhou: Escolha de senha esta proibida"

Based on the provided diff, I'll analyze potential security vulnerabilities:

1. Vulnerability Existed: no
No specific security vulnerabilities were fixed in this diff. The changes appear to be:
- Minor text/formatting changes (removing HTML spaces, punctuation changes)
- Updated Firefox extension URL
- Added new theme options and copy confirmation text
- Added new status messages (RESULT_STR[0] and LOGINERROR_STR[0])

2. Vulnerability Existed: not sure
Potential XSS via HTML injection [File] webclient/language/portuguese.html [Lines] 253, 271
[Old Code] Contains multiple HTML tags with attributes in strings
[Fixed Code] Still contains HTML tags with attributes in strings
Note: While not changed in this diff, the presence of raw HTML in strings could potentially lead to XSS if these strings are not properly escaped when rendered. However, since this is a language file, the risk depends on how these strings are used in the application.

3. Vulnerability Existed: not sure
Potential Open Redirect [File] webclient/language/portuguese.html [Lines] 253
[Old Code] Contains external links to chrome.google.com and addons.mozilla.org
[Fixed Code] Still contains external links, with one URL updated
Note: While not inherently vulnerable, linking to external sites could be risky if the URLs aren't properly validated or if they could be manipulated. The update to the Firefox addon URL suggests they're maintaining these links carefully.

The diff primarily shows localization and UI-related changes rather than security fixes. The most notable change is the update to the Firefox extension URL, which appears to be a maintenance update rather than a security fix.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/french.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/french.html@@ -50,7 +50,7 @@ rmdir_tip = "(Vous aller supprimer tous les répertoires ainsi que les fichiers!)", create_title = "Créer un répertoire", create_filename = "Nom du répertoire",-create_submit = " &nbsp;&nbsp;OK &nbsp;&nbsp;",+create_submit = " OK ", create_cancel = "Annuler", goto_title = "Aller au répertoire", goto_path = "Chemin",@@ -171,7 +171,7 @@ str_searchin = "Chercher dans", str_searchfor = "Chercher", str_searchfiles = "Chercher les fichiers",-str_search_tip = "Veuiller indiquer le mot à chercher",+str_search_tip = "Veuillez saisir un nom de fichier pour rechercher", str_searching = "Chercher en cours...", str_searchfor_tip = "<b>Par exemple:</b>faq.txt,*.mp3",@@ -253,7 +253,7 @@ download_extension = "Extension de navigateur", download_single_file = "Pour télécharger un seul fichier, vous devez sélectionner un fichier en cliquant d'abord sur son nom de fichier.", download_multiple_files = "Pour télécharger plusieurs fichiers/dossiers, vous pouvez utiliser l'extension de Google Chrome 'Wing Download Manager', il suffit de cliquer sur l'icône de l'extension dans le navigateur.<br><br>Si vous n'avez pas encore installé cette extension, veuillez la télécharger à partir du Chrome Web Store: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "Pour télécharger plusieurs fichiers/dossiers, vous pouvez utiliser l'extension de Firefox 'Wing Download Manager', il suffit de cliquer sur l'icône de l'extension dans le navigateur.<br><br>Si vous n'avez pas encore installé cette extension, veuillez la télécharger à partir du Site Web Firefox-Addons: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "Pour télécharger plusieurs fichiers/dossiers, vous pouvez utiliser l'extension de Firefox 'Wing Download Manager', il suffit de cliquer sur l'icône de l'extension dans le navigateur.<br><br>Si vous n'avez pas encore installé cette extension, veuillez la télécharger à partir du Site Web Firefox-Addons: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "Authentification à deux facteurs (TOTP)", str_verify = "Vérifier",@@ -271,6 +271,10 @@ edit_office_files = "Pour afficher/modifier des fichiers Microsoft Word, Excel et PowerPoint, vous pouvez utiliser l'extension de Google Chrome 'Office Editing for Docs, Sheets & Slides'.<br><br>Si vous n'avez pas encore installé cette extension, veuillez la télécharger à partir du Chrome Web Store: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "Aperçu vidéo", scan_qrcode = "Scannez ou cliquez sur le code QR pour télécharger",+str_theme_label = "Thème :",+str_theme_modern = "Moderne",+str_theme_classic = "Classique",+str_copied = "Copié", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "Erreur: une autre opération est en attente, veuillez la réessayer plus tard" RESULT_STR[-11] = "Erreur: permission refusée, impossible de créer un sous-dossier" RESULT_STR[1] = "Fonctionne correctement!"+RESULT_STR[0] = "Fonctionne correctement!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "Échec de connexion: le compte et le mot de passe ne concorde pas"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "Échec de connexion: Windows Authentication cannot work when Windows Guest account enabled" LOGINERROR_STR[-15] = "Échec de connexion: exceeded the max user accounts which current version allows" LOGINERROR_STR[1] = "Connexion réussie!"+LOGINERROR_STR[0] = "Connexion réussie!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "Échec de la modification du mot de passe: la modification du mot de passe est interdite"

Based on the provided code diff, I'll analyze potential security vulnerabilities:

1. Vulnerability Existed: not sure
[XSS Potential] [webclient/language/french.html] [Lines 253, 171]
[Old Code]
str_search_tip = "Veuiller indiquer le mot à chercher"
download_multiple_files2 = "...<a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/'..."
[Fixed Code]
str_search_tip = "Veuillez saisir un nom de fichier pour rechercher"
download_multiple_files2 = "...<a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/'..."

Additional Details:
- The changes in search tip wording could potentially relate to XSS prevention by being more specific about expected input
- The URL change for Firefox addon might address a security concern with the previous link

2. Vulnerability Existed: not sure
[Information Disclosure] [webclient/language/french.html] [Lines 286,304]
[Old Code]
RESULT_STR = { ... } (without 0 index)
LOGINERROR_STR = { ... } (without 0 index)
[Fixed Code]
RESULT_STR = { ... }
RESULT_STR[0] = "Fonctionne correctement!"
LOGINERROR_STR = { ... }
LOGINERROR_STR[0] = "Connexion réussie!"

Additional Details:
- The addition of status code 0 handling could relate to preventing information disclosure by ensuring all status codes have proper messages

3. Vulnerability Existed: not sure
[HTML Injection] [webclient/language/french.html] [Lines 50]
[Old Code]
create_submit = " &nbsp;&nbsp;OK &nbsp;&nbsp;"
[Fixed Code]
create_submit = " OK "

Additional Details:
- The removal of HTML entities might relate to preventing potential HTML injection by using plain text

Note: Since this is a language file with mostly UI text changes, it's difficult to confirm actual security vulnerabilities. The changes appear to be mostly cosmetic or usability improvements rather than direct security fixes.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/tchinese.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/tchinese.html@@ -784,9 +784,9 @@ str_banip_tip = "臨時IP訪問限制", left_graphs = "即時圖表", str_online_sessions = "在線使用者數",-str_last_5min = "最近五分鍾",-str_last_5hour = "最近五小時",-str_last_10day = "最近十天",+str_last_5min = "最近6分鍾",+str_last_5hour = "最近6小時",+str_last_10day = "最近15天", str_password_strength = "密碼强度", title_windowsauth = "Windows 驗證",@@ -999,6 +999,7 @@ str_ldap_timeout = "LDAP 逾時時間", str_real_owner_group = "在檔案清單中顯示真實擁有者/群組 (Linux/Mac)", str_no_renegotiation = "禁止使用者端發起的 SSL/TLS 重新協商",+str_anonymous_weblink = "無論使用者狀態如何（例如已停用），始終允許已存在的WebLink.", calendar_months = "'一月','二月','三月','四月','五月','六月','七月','八月','九月','十月','十一月','十二月'",

Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be either text/label updates or feature additions. Here's the analysis:

1. Vulnerability Existed: no
   Time Label Updates [File] [Lines 784-786]
   [Old Code]
   str_last_5min = "最近五分鍾",
   str_last_5hour = "最近五小時",
   str_last_10day = "最近十天",
   [Fixed Code]
   str_last_5min = "最近6分鍾",
   str_last_5hour = "最近6小時",
   str_last_10day = "最近15天",
   [Note: These are just label changes for time periods, no security impact]

2. Vulnerability Existed: no
   Feature Addition [File] [Line 999]
   [Old Code]
   [No corresponding line]
   [Fixed Code]
   str_anonymous_weblink = "無論使用者狀態如何（例如已停用），始終允許已存在的WebLink.",
   [Note: This appears to be adding a new feature flag/description, not a security fix]

The changes are primarily:
- Adjusting time period labels (5 to 6 minutes/hours, 10 to 15 days)
- Adding a new string for a feature related to WebLink access

No actual code changes or security-related fixes are visible in this language file diff. The modifications are all in the UI/text layer.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/german.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/german.html@@ -784,9 +784,9 @@ str_banip_tip = "Ausschluss:", left_graphs = "Graphs", str_online_sessions = "Online Sitzungen",-str_last_5min = "letzten 5 Minuten",-str_last_5hour = "letzten 5 Stunden",-str_last_10day = "letzten 10 Tage",+str_last_5min = "letzten 6 Minuten",+str_last_5hour = "letzten 6 Stunden",+str_last_10day = "letzten 15 Tage", str_password_strength = "Strength", title_windowsauth = "Windows Authentifizierung",@@ -999,6 +999,7 @@ str_ldap_timeout = "LDAP-Zeitüberschreitung", str_real_owner_group = "Echten Besitzer/Gruppe in der Dateiliste anzeigen (Linux/Mac)", str_no_renegotiation = "Vom Client initiierte SSL/TLS-Neuverhandlungen nicht zulassen",+str_anonymous_weblink = "Vorhandene WebLinks immer zulassen, unabhängig vom Benutzerstatus (z. B. deaktiviert).", calendar_months = "'Jan','Feb','Mar','Apr','Mai','Jun','Jul','Aug','Sep','Okt','Nov','Dez'",

Based on the provided code diff, I'll analyze it for security fixes:

1. Vulnerability Existed: not sure  
   [Potential Time-Based Information Disclosure] [File: webadmin/language/german.html] [Lines: 784-786]  
   [Old Code]  
   str_last_5min = "letzten 5 Minuten",  
   str_last_5hour = "letzten 5 Stunden",  
   str_last_10day = "letzten 10 Tage",  
   [Fixed Code]  
   str_last_5min = "letzten 6 Minuten",  
   str_last_5hour = "letzten 6 Stunden",  
   str_last_10day = "letzten 15 Tage",  

   Note: The change in time intervals might be related to security logging or monitoring, but without more context, it's unclear if this was a security fix.

2. Vulnerability Existed: yes  
   [Insecure Anonymous WebLink Access] [File: webadmin/language/german.html] [Lines: 999]  
   [Old Code]  
   (No previous entry)  
   [Fixed Code]  
   str_anonymous_weblink = "Vorhandene WebLinks immer zulassen, unabhängig vom Benutzerstatus (z. B. deaktiviert).",  

   Note: This appears to be a new security-related setting that controls whether WebLinks remain accessible even when the user account is disabled, which could be a security issue if not properly controlled.

The first change might be related to security monitoring intervals, but the second change clearly introduces a new security-related configuration option regarding anonymous access to WebLinks.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/editor.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/editor.html@@ -108,7 +108,7 @@ 					{ 						try 						{-							top.Refresh();+							top.ajaxRequest("dir", ""); 						} 						catch(e){} 						alert(xmlhttp.responseText);

Let me analyze the code diff and provide the security findings:

1. Vulnerability Existed: yes
Cross-Site Scripting (XSS) Vulnerability [webclient/editor.html] [Lines 108-114]
[Old Code]
try
{
    top.Refresh();
}
catch(e){}
alert(xmlhttp.responseText);

[Fixed Code]
try
{
    top.ajaxRequest("dir", "");
}
catch(e){}
alert(xmlhttp.responseText);

Additional Details:
- The vulnerability existed because the original code directly used xmlhttp.responseText in an alert() without proper output encoding/sanitization, which could allow XSS if the response contained malicious JavaScript.
- The fix changes the behavior to use ajaxRequest instead of Refresh(), but the XSS vulnerability remains as the alert() with unsanitized responseText is still present.
- While the functionality changed, the core security issue (XSS via responseText) wasn't fully addressed.

Note: The fix appears to be incomplete as it didn't address the underlying XSS vulnerability in the alert() call. A proper fix would require sanitizing the responseText before displaying it.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/generate_links.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/generate_links.html@@ -4,7 +4,7 @@ local file_list = _GET["filelist"] or ""-if string.find(dir_list, "%.%./") or string.find(dir_list, "%.%.\\") or string.find(file_list, "%.%./") or string.find(file_list, "%.%.\\") then+if string.find(dir_list, "%.%./") or string.find(dir_list, "%.%.\\") or string.find(file_list, "%.%./") or string.find(file_list, "%.%.\\") or dir_list == ".." or file_list == ".." then 	exit() end@@ -20,7 +20,8 @@ 	strResult = strResult.."<table id='links'>" 	function checkfolder(now_dir, name)-		local now_dir_path = c_GetUserAbsolutePath(domain, _SESSION["username"], now_dir)+		local now_dir_path, permission = c_GetUserAbsolutePath(domain, _SESSION["username"], now_dir)+		if permission == false then return end 		for isdir,filename,ishidden in c_GetFileDir(now_dir_path) do 			if isdir == false then 				if filename ~= nil and filename ~= "." and filename ~= ".."  then

Here's the analysis of the provided code diff for security fixes:

1. Vulnerability Existed: yes
Directory Traversal Vulnerability [webclient/generate_links.html] [Lines 4-5]
Old Code:
`if string.find(dir_list, "%.%./") or string.find(dir_list, "%.%.\\") or string.find(file_list, "%.%./") or string.find(file_list, "%.%.\\") then`
Fixed Code:
`if string.find(dir_list, "%.%./") or string.find(dir_list, "%.%.\\") or string.find(file_list, "%.%./") or string.find(file_list, "%.%.\\") or dir_list == ".." or file_list == ".." then`

Additional Details:
The fix adds checks for simple ".." directory traversal attempts that weren't caught by the previous pattern matching. The original code only checked for "../" or "..\" patterns but missed the standalone ".." case.

2. Vulnerability Existed: yes
Insufficient Path Permission Check [webclient/generate_links.html] [Lines 20-21]
Old Code:
`local now_dir_path = c_GetUserAbsolutePath(domain, _SESSION["username"], now_dir)`
Fixed Code:
`local now_dir_path, permission = c_GetUserAbsolutePath(domain, _SESSION["username"], now_dir)`
`if permission == false then return end`

Additional Details:
The fix adds proper permission checking when retrieving directory paths. The original code didn't verify if the user had permission to access the directory path returned by c_GetUserAbsolutePath, which could lead to unauthorized access. The new code checks the permission flag and exits if access is not permitted.

3. Vulnerability Existed: not sure
Potential Information Leak [webclient/generate_links.html] [Lines 22-23]
Old Code:
`for isdir,filename,ishidden in c_GetFileDir(now_dir_path) do`
Fixed Code:
`for isdir,filename,ishidden in c_GetFileDir(now_dir_path) do`

Additional Details:
While there's no visible change in these lines, the combination of the new permission check and the existing file listing functionality might prevent potential information leaks about directory contents when users don't have proper permissions. However, since there's no direct code change here, I'm not certain if this was an intentional security fix.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/spanish.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/spanish.html@@ -783,9 +783,9 @@ str_banip_tip = "Patear IP temporariamente", left_graphs = "Graficos", str_online_sessions = "Sesiones online",-str_last_5min = "Ultimos cinco minutos",-str_last_5hour = "Ultimas cinco horas",-str_last_10day = "Ultimos diez dias",+str_last_5min = "Ultimos 6 minutos",+str_last_5hour = "Ultimas 6 horas",+str_last_10day = "Ultimos 15 dias", str_password_strength = "Fuerza", title_windowsauth = "Autenticacion Windows",@@ -998,6 +998,7 @@ str_ldap_timeout = "Tiempo de espera de LDAP", str_real_owner_group = "Mostrar propietario/grupo real en la lista de archivos (Linux/Mac)", str_no_renegotiation = "No permitir la renegociación SSL/TLS iniciada por el cliente",+str_anonymous_weblink = "Permitir siempre WebLink independientemente del estado del usuario (por ejemplo, deshabilitado).", calendar_months = "'Ene','Feb','Mar','Abr','May','Jun','Jul','Ago','Sep','Oct','Nov','Dec'",

Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be either textual updates or feature additions. Here's the analysis:

1. Vulnerability Existed: no
    Textual Update [File] webadmin/language/spanish.html [Lines 783-785]
    [Old Code]
    str_last_5min = "Ultimos cinco minutos",
    str_last_5hour = "Ultimas cinco horas",
    str_last_10day = "Ultimos diez dias",
    [Fixed Code]
    str_last_5min = "Ultimos 6 minutos",
    str_last_5hour = "Ultimas 6 horas",
    str_last_10day = "Ultimos 15 dias",

2. Vulnerability Existed: no
    Feature Addition [File] webadmin/language/spanish.html [Lines 998]
    [Old Code]
    str_no_renegotiation = "No permitir la renegociación SSL/TLS iniciada por el cliente",
    [Fixed Code]
    str_no_renegotiation = "No permitir la renegociación SSL/TLS iniciada por el cliente",
    str_anonymous_weblink = "Permitir siempre WebLink independientemente del estado del usuario (por ejemplo, deshabilitado).",

The changes are either:
1. Adjusting time period descriptions in Spanish (from 5 to 6 minutes/hours, 10 to 15 days)
2. Adding a new feature flag for anonymous WebLink access

Neither change appears to address a security vulnerability, but rather implements feature modifications/additions.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/language/polish.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/language/polish.html@@ -784,9 +784,9 @@ str_banip_tip = "Tymczasowa blokada IP", left_graphs = "Wykresy", str_online_sessions = "Sesje online",-str_last_5min = "Ostatnie pięć minut",-str_last_5hour = "Ostatnie pięć godzin",-str_last_10day = "Ostatnie dziesięć dni",+str_last_5min = "Ostatnie 6 minut",+str_last_5hour = "Ostatnie 6 godzin",+str_last_10day = "Ostatnie 15 dni", str_password_strength = "Siła hasła", title_windowsauth = "Uwierzytelnianie Windows",@@ -999,6 +999,7 @@ str_ldap_timeout = "Przekroczono limit czasu LDAP", str_real_owner_group = "Pokaż prawdziwego właściciela/grupę na liście plików (Linux/Mac)", str_no_renegotiation = "Nie zezwalaj na ponowną negocjację SSL/TLS inicjowaną przez klienta",+str_anonymous_weblink = "Zawsze zezwalaj na WebLink bez względu na status użytkownika (np. wyłączony).", calendar_months = "'Sty.','Lut.','Mar.','Kwi.','Maj','Cze.','Lip.','Sie.','Wrz.','Paź.','Lis.','Gru.'",

After analyzing the provided code diff, I don't find any clear security vulnerabilities. The changes appear to be:

1. Textual changes in time period descriptions (from 5 to 6 minutes/hours, from 10 to 15 days)
2. Addition of a new configuration option for WebLink access

Here's the structured analysis:

Vulnerability Existed: no
[No security vulnerability found] [webadmin/language/polish.html] [Lines 784-786, 999]
[Old Code]
str_last_5min = "Ostatnie pięć minut",
str_last_5hour = "Ostatnie pięć godzin",
str_last_10day = "Ostatnie dziesięć dni",
[Fixed Code]
str_last_5min = "Ostatnie 6 minut",
str_last_5hour = "Ostatnie 6 godzin",
str_last_10day = "Ostatnie 15 dni",

Vulnerability Existed: no
[No security vulnerability found] [webadmin/language/polish.html] [Line 999]
[Old Code]
[No previous line existed]
[Fixed Code]
str_anonymous_weblink = "Zawsze zezwalaj na WebLink bez względu na status użytkownika (np. wyłączony).",

These changes appear to be:
1. Adjustments to time period descriptions (likely for better monitoring/statistics)
2. Addition of a new feature flag for WebLink access control

No security vulnerabilities were identified in these changes. The modifications are either textual/descriptive or add new functionality without introducing security risks.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/loginok.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/loginok.html@@ -24,10 +24,12 @@ password = string.gsub(password,"+"," ") password = string.gsub(password,"\t","+")+username = string.sub(username, 1, 128)+password = string.sub(password, 1, 128) local result = c_CheckUser(username,password) if result ~= OK_CHECK_CONNECTION then-	c_AddWebLog("User '"..string.sub(username, 1, 64).."' login failed! (IP:".._REMOTE_IP..")","0",DOMAIN_LOG_WEB_RESPOND)+	c_AddWebLog("User '"..username.."' login failed! (IP:".._REMOTE_IP..")","0",DOMAIN_LOG_WEB_RESPOND) 	print("<script>alert('"..LOGINERROR_STR[tonumber(result)].."');location='login.html';</script>") else 	if _COOKIE["UID"] ~= nil then

Here's the analysis of the provided code diff:

1. Vulnerability Existed: yes
Buffer Overflow Prevention [File] webclient/loginok.html [Lines] 24-25
[Old Code]
password = string.gsub(password,"\t","+")

[Fixed Code]
username = string.sub(username, 1, 128)
password = string.sub(password, 1, 128)

Additional Details: The fix adds length restrictions to username and password inputs, preventing potential buffer overflow attacks by limiting input size to 128 characters.

2. Vulnerability Existed: yes
Information Disclosure [File] webclient/loginok.html [Lines] 27
[Old Code]
c_AddWebLog("User '"..string.sub(username, 1, 64).."' login failed! (IP:".._REMOTE_IP..")","0",DOMAIN_LOG_WEB_RESPOND)

[Fixed Code]
c_AddWebLog("User '"..username.."' login failed! (IP:".._REMOTE_IP..")","0",DOMAIN_LOG_WEB_RESPOND)

Additional Details: The change removes the artificial truncation of usernames in error logs, which could have led to incomplete or misleading security audit information. While not a direct security vulnerability, this improves logging accuracy for security monitoring.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webadmin/admin_login.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webadmin/admin_login.html@@ -149,24 +149,24 @@ 		else 			language = navigator.browserLanguage;-		if (language.indexOf('en') > -1) location = '?lang=english';-		else if (language.indexOf('fr') > -1) location = '?lang=french';-		else if (language.indexOf('de') > -1) location = '?lang=german';-		else if (language.indexOf('it') > -1) location = '?lang=italian';-		else if (language.indexOf('nl') > -1) location = '?lang=dutch';-		else if (language.indexOf('pt') > -1) location = '?lang=portuguese';-		else if (language.indexOf('es') > -1) location = '?lang=spanish';-		else if (language.indexOf('zh-TW') > -1) location = '?lang=tchinese';-		else if (language.indexOf('zh-HK') > -1) location = '?lang=tchinese';-		else if (language.indexOf('zh-MO') > -1) location = '?lang=tchinese';-		else if (language.indexOf('zh') > -1) location = '?lang=schinese';-		else if (language.indexOf('ja') > -1) location = '?lang=japanese';-		else if (language.indexOf('cz') > -1) location = '?lang=czech';-		else if (language.indexOf('ro') > -1) location = '?lang=romanian';-		else if (language.indexOf('tr') > -1) location = '?lang=turkish';-		else if (language.indexOf('ko') > -1) location = '?lang=korean';-		else if (language.indexOf('pl') > -1) location = '?lang=polish';-		else location = '?lang=english';+		if (language.indexOf('en') > -1) location = 'admin_login.html?lang=english';+		else if (language.indexOf('fr') > -1) location = 'admin_login.html?lang=french';+		else if (language.indexOf('de') > -1) location = 'admin_login.html?lang=german';+		else if (language.indexOf('it') > -1) location = 'admin_login.html?lang=italian';+		else if (language.indexOf('nl') > -1) location = 'admin_login.html?lang=dutch';+		else if (language.indexOf('pt') > -1) location = 'admin_login.html?lang=portuguese';+		else if (language.indexOf('es') > -1) location = 'admin_login.html?lang=spanish';+		else if (language.indexOf('zh-TW') > -1) location = 'admin_login.html?lang=tchinese';+		else if (language.indexOf('zh-HK') > -1) location = 'admin_login.html?lang=tchinese';+		else if (language.indexOf('zh-MO') > -1) location = 'admin_login.html?lang=tchinese';+		else if (language.indexOf('zh') > -1) location = 'admin_login.html?lang=schinese';+		else if (language.indexOf('ja') > -1) location = 'admin_login.html?lang=japanese';+		else if (language.indexOf('cz') > -1) location = 'admin_login.html?lang=czech';+		else if (language.indexOf('ro') > -1) location = 'admin_login.html?lang=romanian';+		else if (language.indexOf('tr') > -1) location = 'admin_login.html?lang=turkish';+		else if (language.indexOf('ko') > -1) location = 'admin_login.html?lang=korean';+		else if (language.indexOf('pl') > -1) location = 'admin_login.html?lang=polish';+		else location = 'admin_login.html?lang=english'; 	} 	else 	{@@ -177,7 +177,7 @@ function changelanguage(obj) { 	var l = obj.options[obj.selectedIndex].value;-	location = '?lang='+l;+	location = 'admin_login.html?lang='+l; } function switchcheckbox()@@ -204,7 +204,7 @@ <div class="field" style="margin-top:50px">   <p class="control has-icons-left">-    <input class="input" name="username_val" id="username_val" type="text" autocomplete="new-password" value="<%=admin_login_name%>" placeholder="<%=LANG["username"]%>">+    <input class="input" name="username_val" id="username_val" type="text" autocomplete="new-password" maxlength="128" value="<%=admin_login_name%>" placeholder="<%=LANG["username"]%>">     <span class="icon is-small is-left"> 	  <img src="images/input_user.png" class="hiddenimg" title="<%=LANG["username"]%>">       <i class="fas fa-user"></i>@@ -213,7 +213,7 @@ </div> <div class="field" style="margin-top:5px">   <p class="control has-icons-left">-    <input class="input" name="password_val" id="password_val" type="password" autocomplete="off" placeholder="<%=LANG["password"]%>">+    <input class="input" name="password_val" id="password_val" type="password" autocomplete="off" maxlength="128" placeholder="<%=LANG["password"]%>">     <span class="icon is-small is-left"> 	  <img src="images/input_pass.png" class="hiddenimg" title="<%=LANG["password"]%>">       <i class="fas fa-lock"></i>@@ -252,7 +252,7 @@ </form> <div style="text-align:center; margin-top:30px; font-size:10pt;">-<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2024 <b>wftpserver.com</b> All Rights Reserved+<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2025 <b>wftpserver.com</b> All Rights Reserved </div> </div>@@ -361,7 +361,7 @@ 		</tr> 		<tr>  		<td height="50" style="font-size:12px;color:white;" colspan="2">-		<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2024 <b>wftpserver.com</b> All Rights Reserved+		<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2025 <b>wftpserver.com</b> All Rights Reserved 		</td> 		</tr> 	  </table>@@ -492,7 +492,7 @@ 		</tr> 		<tr>  		<td height="50" style="font-size:12px;color:white;" colspan="2">-		<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2024 <b>wftpserver.com</b> All Rights Reserved+		<a href="https://www.wftpserver.com/" target="_blank">Wing FTP Server</a> ©2003-2025 <b>wftpserver.com</b> All Rights Reserved 		</td> 		</tr> 	  </table>

Here is the analysis of the provided code diff for security fixes:

1. Vulnerability Existed: yes  
   Open Redirect Vulnerability [File] [Lines 149-177]  
   [Old Code]  
   ```javascript
   if (language.indexOf('en') > -1) location = '?lang=english';
   // ... other language conditions ...
   function changelanguage(obj) {
       var l = obj.options[obj.selectedIndex].value;
       location = '?lang='+l;
   }
   ```  
   [Fixed Code]  
   ```javascript
   if (language.indexOf('en') > -1) location = 'admin_login.html?lang=english';
   // ... other language conditions ...
   function changelanguage(obj) {
       var l = obj.options[obj.selectedIndex].value;
       location = 'admin_login.html?lang='+l;
   }
   ```  
   Additional Details: The fix prevents open redirects by specifying the full path ('admin_login.html') instead of just using a relative path ('?lang=...'). This ensures the redirect stays within the intended page.

2. Vulnerability Existed: yes  
   Input Length Restriction Missing [File] [Lines 204, 213]  
   [Old Code]  
   ```html
   <input class="input" name="username_val" id="username_val" type="text" autocomplete="new-password" value="<%=admin_login_name%>" placeholder="<%=LANG["username"]%>">
   <input class="input" name="password_val" id="password_val" type="password" autocomplete="off" placeholder="<%=LANG["password"]%>">
   ```  
   [Fixed Code]  
   ```html
   <input class="input" name="username_val" id="username_val" type="text" autocomplete="new-password" maxlength="128" value="<%=admin_login_name%>" placeholder="<%=LANG["username"]%>">
   <input class="input" name="password_val" id="password_val" type="password" autocomplete="off" maxlength="128" placeholder="<%=LANG["password"]%>">
   ```  
   Additional Details: The fix adds `maxlength="128"` to both username and password fields to prevent potential buffer overflow or denial-of-service attacks through excessively long input.

3. Vulnerability Existed: no  
   Copyright Year Update [File] [Lines 252, 361, 492]  
   [Old Code]  
   ```html
   ©2003-2024
   ```  
   [Fixed Code]  
   ```html
   ©2003-2025
   ```  
   Additional Details: This is just a copyright year update and doesn't relate to any security vulnerability.  

The main security fixes address an open redirect vulnerability and add input length restrictions, both of which are important security improvements.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

--- /root/PatchLeaks-main/products/wftpserver7.4.3/wftpserver/webclient/language/turkish.html+++ /root/PatchLeaks-main/products/wftpserver7.4.4/wftpserver/webclient/language/turkish.html@@ -50,7 +50,7 @@ rmdir_tip = "(bu işlem tüm altklasörleri ve dosyaları kaldıracaktır!)", create_title = "Yeni Klasör Oluştur", create_filename = "Klasör adı",-create_submit = " &nbsp;&nbsp;TAMAM &nbsp;",+create_submit = " TAMAM ", create_cancel = " İptal ", goto_title = "Dizine Git", goto_path = "Dizin Yolu",@@ -171,7 +171,7 @@ str_searchin = "Arandığı yer", str_searchfor = "Aranan", str_searchfiles = "Dosyaları sitede ara",-str_search_tip = "Lütfen aranan için anahtar kelime girin!",+str_search_tip = "Lütfen aramak için bir dosya adı girin", str_searching = "Şimdi aranıyor...", str_searchfor_tip = "<b>örn.</b>  sss.txt, *.mp3", str_user_quota = "Kota",@@ -253,7 +253,7 @@ download_extension = "Tarayıcı uzantısı", download_single_file = "Tek bir dosyayı indirmek için, önce dosya adına tıklayarak bir dosya seçmeniz gerekir.", download_multiple_files = "Birden fazla dosya / klasör indirmek için, Google Chrome uzantısı 'Wing Download Manager' kullanabilirsiniz, tarayıcıdaki uzantının simgesine tıklamanız yeterlidir.<br><br>Bu uzantıyı henüz yüklemediyseniz, lütfen Chrome Web Mağazası'ndan indirin: <a href='https://chrome.google.com/webstore/detail/wing-download-manager/njikhnflhmkjadbppeicblliehkjocgk' target='_blank'><img src='images/chrome_extension.png'></a> ",-download_multiple_files2 = "Birden fazla dosya / klasör indirmek için, Firefox uzantısı 'Wing Download Manager' kullanabilirsiniz, tarayıcıdaki uzantının simgesine tıklamanız yeterlidir.<br><br>Bu uzantıyı henüz yüklemediyseniz, lütfen Firefox Add-ons web sitesinden indirin: <a href='https://addons.mozilla.org/firefox/addon/wing-download-manager/' target='_blank'><img src='images/firefox_addon.png'></a> ",+download_multiple_files2 = "Birden fazla dosya / klasör indirmek için, Firefox uzantısı 'Wing Download Manager' kullanabilirsiniz, tarayıcıdaki uzantının simgesine tıklamanız yeterlidir.<br><br>Bu uzantıyı henüz yüklemediyseniz, lütfen Firefox Add-ons web sitesinden indirin: <a href='https://addons.mozilla.org/en-US/firefox/addon/wing-download-manager-new/' target='_blank'><img src='images/firefox_addon.png'></a> ", totp_auth_required = "İki faktörlü kimlik doğrulama (TOTP)", str_verify = "Doğrulamak",@@ -271,6 +271,10 @@ edit_office_files = "Microsoft Word, Excel ve PowerPoint dosyalarını görüntülemek/düzenlemek için Google Chrome uzantısı 'Office Editing for Docs, Sheets & Slides' kullanabilirsiniz.<br><br>Bu uzantıyı henüz yüklemediyseniz, lütfen Chrome Web Mağazası'ndan indirin: <a href='https://chrome.google.com/webstore/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj' target='_blank'><img src='images/chrome_extension.png'></a> ", video_preview = "Video ön izlemesi", scan_qrcode = "İndirmek için QR kodunu tarayın veya tıklayın",+str_theme_label = "Tema:",+str_theme_modern = "Modern",+str_theme_classic = "Klasik",+str_copied = "Kopyalandı", } RESULT_STR = {}@@ -286,6 +290,7 @@ RESULT_STR[-10] = "Hata: başka bir işlem beklemede, lütfen daha sonra deneyin" RESULT_STR[-11] = "Hata: izin yok, alt klasör oluşturamaz" RESULT_STR[1] = "İşlem başarılı!"+RESULT_STR[0] = "İşlem başarılı!" LOGINERROR_STR = {} LOGINERROR_STR[-1] = "Oturum açma başarısız oldu: kullanıcı adı ve parola eşleşmedi"@@ -304,6 +309,7 @@ LOGINERROR_STR[-14] = "Oturum açma başarısız oldu: Windows Kimlik Doğrulaması, Windows Konuk hesabı etkinken çalışamaz" LOGINERROR_STR[-15] = "Oturum açma başarısız oldu: exceeded the max user accounts which current version allows" LOGINERROR_STR[1] = "Oturum açma başarılı oldu!"+LOGINERROR_STR[0] = "Oturum açma başarılı oldu!" CHANGEPASS_STR = {} CHANGEPASS_STR[1] = "Parola değiştirme başarısız: parola değiştirmeye izin verilmiyor"

After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be primarily text/UI-related modifications and additions. Here's the analysis:

1. Vulnerability Existed: no
   Text/UI changes [File] webclient/language/turkish.html [Lines] 50,171,253
   [Old Code] Various UI text strings
   [Fixed Code] Modified UI text strings

2. Vulnerability Existed: no
   Extension URL update [File] webclient/language/turkish.html [Lines] 253
   [Old Code] Firefox extension old URL
   [Fixed Code] Firefox extension new URL

3. Vulnerability Existed: no
   New UI elements added [File] webclient/language/turkish.html [Lines] 271-274,286,304
   [Old Code] (Not present)
   [Fixed Code] Added theme options and success messages

The changes include:
- Textual clarifications (search tip message)
- Updated extension URLs
- Added new UI elements (theme options)
- Added success status messages (0 = success)
- HTML formatting changes (removed  )

None of these changes appear to address security vulnerabilities, but rather improve user experience and maintain functionality. The extension URL update might be related to maintaining valid extension links, but this doesn't constitute a security fix.

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.