Especially if you are sitting at a public computer and log in to a Drupal site, you don’t get logged out that easily if you don’t click on log out explicitly. A possible attacker could now just navigate to your Drupal site, change your password and he’s done. Most other services require that you enter your old password when you do such elementary things as changing your password.

The attached patch requires that you enter your old password when changing your password. This does even apply if you have administer user privileges and try to change your own password.

verify_password.patch2.17 KBkkaefer
Members fund testing for the Drupal project. Drupal Association Learn more


kkaefer’s picture

Status: Needs review » Closed (duplicate)