Especially if you are sitting at a public computer and log in to a Drupal site, you don’t get logged out that easily if you don’t click on log out explicitly. A possible attacker could now just navigate to your Drupal site, change your password and he’s done. Most other services require that you enter your old password when you do such elementary things as changing your password.

The attached patch requires that you enter your old password when changing your password. This does even apply if you have administer user privileges and try to change your own password.

Files: 
CommentFileSizeAuthor
verify_password.patch2.17 KBkkaefer

Comments

kkaefer’s picture

Status:Needs review» Closed (duplicate)