GHSA-jqr8-q455-xx45: 
PHP vulnerability analysis and mitigation

A brute force protection bypass vulnerability was discovered in TYPO3 CMS backend login (GHSA-jqr8-q455-xx45). The vulnerability affects TYPO3 versions 6.2.0 to 6.2.13 and 7.0.0 to 7.3.0, and was disclosed on July 1, 2015. The issue was discovered by Franz G. Jahn and was patched in versions 6.2.14 and 7.3.1 (TYPO3 Advisory).

The vulnerability exists in the backend login's basic brute force protection mechanism, which was designed to pause for 5 seconds when incorrect credentials are provided. However, this protection could be circumvented by crafting a special request, making it possible to perform brute force attacks against backend editor credentials more efficiently. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (GitHub Advisory).

The vulnerability allows attackers to bypass the brute force protection mechanism in the TYPO3 backend login, making it feasible to perform brute force attacks against backend editor credentials. This could potentially lead to unauthorized access to the backend system if weak credentials are used (TYPO3 Advisory).

The vulnerability was fixed in TYPO3 versions 6.2.14 and 7.3.1. The patch moved the 5-second delay code to a location that cannot be bypassed and extended the protection to frontend logins as well. Additionally, a new hook was implemented to allow custom brute force protection strategies. The hook can be registered using: $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'][] = 'My\Package\HookClass->hookMethod' (TYPO3 Advisory).