Information disclosure during backend login
In case a wrong username is submitted other HTTP headers are sent, than
in case only the password is wrong. This provides an attacker more
information than intended.
I tracked down this problem to the various session_start() calls, which
also send HTTP headers by default. If the submitted username exists, a
php session is started to get the challange out of the session
(compareUident()). This sends out some HTTP headers which will then
partly be overridden by header() calls (sendNoCacheHeaders()) with the
same HTTP headers (both happening in t3lib_userauth).
Reporter: Sebastian Schinzel
(issue imported from #M16894)