GHSA-6f9m-v7mp-7jjq: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-6f9m-v7mp-7jjq) titled 'Authentication Bypass in TYPO3 CMS' was discovered in TYPO3's Salted Password system extension, a mandatory system component. The vulnerability was disclosed on July 12, 2018, affecting TYPO3 CMS versions 7.0.0 to 7.6.29, 8.0.0 to 8.7.16, and 9.0.0 to 9.3.0. This security issue was identified and fixed by TYPO3 core team member Oliver Hader (TYPO3 Advisory).

The vulnerability allows for an authentication bypass when using hashing methods that are related by PHP class inheritance. Specifically, in standard TYPO3 core distributions, stored passwords using the blowfish hashing algorithm could be overridden when using MD5 as the default hashing algorithm, requiring only knowledge of a valid username. The vulnerability's severity is rated as Moderate, with a suggested CVSS v2.0 score of AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C/CDP:ND/TD:L/CR:ND/IR:ND/AR:ND (TYPO3 Advisory).

The impact of this vulnerability varies from none to critical, depending on the default hashing algorithm in use. It's important to note that installations using the default Portable PHP hashing algorithm (PHPass) are not vulnerable to this attack. However, systems configured to use MD5 as the default hashing algorithm are at risk of unauthorized access through authentication bypass (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 versions 7.6.30, 8.7.17, and 9.3.2. Users are advised to update to these patched versions to address the security issue. The default configuration using the Portable PHP hashing algorithm (PHPass) is not vulnerable to this attack (TYPO3 Advisory).