[TYPO3-core] RFC #16223 : Bugfix : Failed backend userlogins are not written to syslog using saltedpasswords

Bjoern Pedersen bjoern.pedersen at frm2.tum.de
Fri Mar 18 09:12:59 CET 2011

> The logging functions in saltedpasswords are not able to log failed
> backend userlogins to TYPO3´s syslog, because the inherited
> writelog-function gets overridden by a local function. As a result, no
> notification e-mail is sent to [warning_email_addr] when a backend user
> has multiple failed login attempts. A remote “attacker” could try to
> login to a TYPO3 installations backend numerous of times without being
> noticed (no log entry and no warning-email if configured).

Almost correct. The base class log function is calles "writelog" (all
lower case), the additional log function in saltedpasswords "writeLog"
(camel case, first word lower case). So it should be enough to add calls
to $this->writelog... (lower case).


PS: TYPO3 changed their patch submission to git/gerrit

More information about the TYPO3-team-core mailing list