Closed (fixed)
Project:
Drupal core
Version:
5.0
Component:
user.module
Priority:
Normal
Category:
Feature request
Assigned:
Reporter:
Created:
22 Dec 2005 at 00:01 UTC
Updated:
13 Feb 2008 at 20:17 UTC
The account settings page allows to change the user's password without entering the old password. This could be used by a malicious person to hijack another's account by changing his/her password, either by direct access to the computer used to access the site (while the user is still logged-in), or after hijacking the session id.
We should probably require the user to enter his/her old password before entering a new one.
Comments
Comment #1
magico commentedComment #2
rvk commentedI would like to add that it would be nice if it entering the current password would also be required to change the e-mail address (and perhaps other profile info as well?). Since otherwise a malicious person would still be able to render someones account useless
Comment #3
Wolfflow commentedwould like to add to User management setting a box wich will automatically give to a TEST-User account made by Administrator few basically default functionality and in the same time lock password changing and email change. This will be usefull for Drupal Testing installation around all Drupal Site registered with Drupal-Server acces verification. Even all Drupal Community will get advantages and spread testing environments all around. Maybe this can also be helpfull for debugging purposes.
Comment #4
Wolfflow commentedThere are know a lot of contributed Modules that can figure out exactly what described above.
some:
etc ....