Index: typo3/sysext/saltedpasswords/sv1/class.tx_saltedpasswords_sv1.php
===================================================================
--- typo3/sysext/saltedpasswords/sv1/class.tx_saltedpasswords_sv1.php	(revision 6776)
+++ typo3/sysext/saltedpasswords/sv1/class.tx_saltedpasswords_sv1.php	(working copy)
@@ -79,6 +79,15 @@
 	 */
 	protected $objInstanceSaltedPW = NULL;
 
+	/**
+	 * Indicates whether the salted password authentication has failed.
+	 *
+	 * Prevents authentication bypass. See vulnerability report:
+	 * { @link http://bugs.typo3.org/view.php?id=13372 }
+	 *
+	 * @var boolean
+	 */
+	protected $authenticationFailed = FALSE;
 
 	/**
 	 * Checks if service is available. In case of this service we check that
@@ -123,6 +132,12 @@
 		if (is_object($this->objInstanceSaltedPW)) {
 			$validPasswd = $this->objInstanceSaltedPW->checkPassword($password,$user['password']);
 
+				// record is in format of Salted Hash password but authentication failed
+				// skip further authentication methods
+			if (!$validPasswd) {
+				$this->authenticationFailed = TRUE;
+			}
+
 			$defaultHashingClassName = tx_saltedpasswords_div::getDefaultSaltingHashingMethod();
 			$skip = FALSE;
 
@@ -158,10 +173,20 @@
 					$validPasswd = $this->objInstanceSaltedPW->checkPassword(md5($password), substr($user['password'], 1));
 				}
 
+					// skip further authentication methods
+				if (!$validPasswd) {
+					$this->authenticationFailed = TRUE;
+				}
+
 				// password is stored as md5
 			} else if (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
 				$validPasswd = (!strcmp(md5($password), $user['password']) ? TRUE : FALSE);
 
+					// skip further authentication methods
+				if (!$validPasswd) {
+					$this->authenticationFailed = TRUE;
+				}
+
 				// password is stored plain or unrecognized format
 			} else {
 				$validPasswd = (!strcmp($password, $user['password']) ? TRUE : FALSE);
@@ -219,7 +244,7 @@
 				);
 			}
 
-			if (!$validPasswd && intval($this->extConf['onlyAuthService'])) {
+			if (!$validPasswd && (intval($this->extConf['onlyAuthService']) || $this->authenticationFailed)) {
 					// Failed login attempt (wrong password) - no delegation to further services
 				$this->writeLog(
 					TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'',