Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Especially if you are sitting at a public computer and log in to a Drupal site, you don’t get logged out that easily if you don’t click on log out explicitly. A possible attacker could now just navigate to your Drupal site, change your password and he’s done. Most other services require that you enter your old password when you do such elementary things as changing your password.
The attached patch requires that you enter your old password when changing your password. This does even apply if you have administer user privileges and try to change your own password.
Comment | File | Size | Author |
---|---|---|---|
verify_password.patch | 2.17 KB | kkaefer | |
Comments
Comment #1
kkaefer CreditAttribution: kkaefer commentedDuplicate of http://drupal.org/node/86299