This isn't a support question, but I've found a security hole/bug and I didn't see any bug reporting area on the website. XAMPP does not correctly check that the ftp password for the user nobody has been changed from "xampp". This is true both in the control panel (
http://localhost/xampp/security.php) and when running the "xampp security" script. Furthermore, the xampp security script does not actually change the password when it claims to. I know that both by testing using a FTP client, and by looking at XAMPP/xamppfiles/etc/proftpd.conf directly; there is no change in the password hash after running the xampp security script.