Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Not a member yet? Click here to register.
Forgot Password?
  1. Home
  2. Discussion Forum
  3. PHPFusion 8 Support
  4. Suspected Bugs and Errors - 8
  5. edit p[rofile 403 problem

edit p[rofile 403 problem

Asked Modified Viewed 2,699 times
Back to Forum Index Previous Topic Next Topic
Print
S
subodh
S
subodh 10
I am learner keen to learn more.
---------------------------------------------------------

Gamers Worlds : The Worlds Of Gamers
  • Junior Member, joined since
  • Contributed 46 posts on the community forums.
  • Started 25 threads in the forums
  • Started this discussions
asked
Junior Member

I know the thread has been also posted by other user. But I have tried everything like clean install. Still can't solve the problem.


Quote

Forbidden

You don't have permission to access /edit_profile.php on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.



Server Details are:
Webserver software Apache
PHP version 5.5.30
PHP interface cgi-fcgi
MySQL Server version 5.5.49-cll
PHPFusion version 7.02.07
0 replies

9 posts

F
Falk
F
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct

(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
  • Super Admin, joined since
  • Contributed 6,201 posts on the community forums.
  • Started 639 threads in the forums
  • Answered 11 questions
answered
Super Admin

It is clearly a server issue somewhere if the file not us corrupt. Make sure your locale copy is fresh aswell since they inter connect.
I mean the file is accessable, only access level it checks is if you are a member or not. But the error thrown are on a server level and not CMS level.
What you could try is to rename the file and see if it works since something is blocking it for any reason.
0 replies
S
subodh
S
subodh 10
I am learner keen to learn more.
---------------------------------------------------------

Gamers Worlds : The Worlds Of Gamers
  • Junior Member, joined since
  • Contributed 46 posts on the community forums.
  • Started 25 threads in the forums
  • Started this discussions
answered
Junior Member

The error occur when we click on update profile.
It may occur when file call for itself.
0 replies
F
Falk
F
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct

(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
  • Super Admin, joined since
  • Contributed 6,201 posts on the community forums.
  • Started 639 threads in the forums
  • Answered 11 questions
answered
Super Admin

Try download a fresh copy of files and simply override current files.
0 replies
S
subodh
S
subodh 10
I am learner keen to learn more.
---------------------------------------------------------

Gamers Worlds : The Worlds Of Gamers
  • Junior Member, joined since
  • Contributed 46 posts on the community forums.
  • Started 25 threads in the forums
  • Started this discussions
answered
Junior Member

I have done it. Also, tried fresh install as a test. It seems some security problem with server.
0 replies
F
Falk
F
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct

(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
  • Super Admin, joined since
  • Contributed 6,201 posts on the community forums.
  • Started 639 threads in the forums
  • Answered 11 questions
answered
Super Admin

Yes it is a strange issue, but the answer to it is on a server level.
0 replies
S
subodh
S
subodh 10
I am learner keen to learn more.
---------------------------------------------------------

Gamers Worlds : The Worlds Of Gamers
  • Junior Member, joined since
  • Contributed 46 posts on the community forums.
  • Started 25 threads in the forums
  • Started this discussions
answered
Junior Member

I have contacted my web host.
They said "Your script seem containing SQL injection vulnerability."

Below is firewall log:

Quote

[Wed May 04 23:13:48.729378 2016] [:error] [pid 4987] [client 103.61.55.131] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:t(?:able_name\\\\b|extpos[^a-zA-Z0-9_]{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password. [file "/var/cpanel/cwaf/rules/23_SQL_SQLi.conf"] [line "18"] [id "211540"] [rev "5"] [msg "COMODO WAF: Blind SQL Injection Attack"] [data "Matched Data: user_password found within ARGS_NAMES:user_password: user_password"] [severity "CRITICAL"] [hostname "gour.subodh.info"] [uri "/edit_profile.php"] [unique_id "Vyq6bK6O77UAABN721cAAAAH"] [Wed May 04 23:18:46.292684 2016] [:error] [pid 5882] [client 103.61.55.131] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:t(?:able_name\\\\b|extpos[^a-zA-Z0-9_]{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password. [file "/var/cpanel/cwaf/rules/23_SQL_SQLi.conf"] [line "18"] [id "211540"] [rev "5"] [msg "COMODO WAF: Blind SQL Injection Attack"] [data "Matched Data: user_password found within ARGS_NAMES:user_password: user_password"] [severity "CRITICAL"] [hostname "gour.subodh.info"] [uri "/edit_profile.php"] [unique_id "Vyq7la6O77UAABb6MlQAAAAI"] [Wed May 04 23:25:31.511526 2016] [:error] [pid 4987] [client 103.61.55.131] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:t(?:able_name\\\\b|extpos[^a-zA-Z0-9_]{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password. [file "/var/cpanel/cwaf/rules/23_SQL_SQLi.conf"] [line "18"] [id "211540"] [rev "5"] [msg "COMODO WAF: Blind SQL Injection Attack"] [data "Matched Data: user_password found within ARGS_NAMES:user_password: user_password"] [severity "CRITICAL"] [hostname "gour.subodh.info"] [uri "/edit_profile1.php"] [unique_id "Vyq9K66O77UAABN723QAAAAH"] [Wed May 04 23:28:45.552071 2016] [:error] [pid 3494] [client 103.61.55.131] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:t(?:able_name\\\\b|extpos[^a-zA-Z0-9_]{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password. [file "/var/cpanel/cwaf/rules/23_SQL_SQLi.conf"] [line "18"] [id "211540"] [rev "5"] [msg "COMODO WAF: Blind SQL Injection Attack"] [data "Matched Data: user_password found within ARGS_NAMES:user_password: user_password"] [severity "CRITICAL"] [hostname "gour.subodh.info"] [uri "/edit_profile.php"] [unique_id "Vyq97a6O77UAAA2mf-gAAAAK"] [Wed May 04 23:36:51.924076 2016] [:error] [pid 10670] [client 103.61.55.131] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:t(?:able_name\\\\b|extpos[^a-zA-Z0-9_]{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password. [file "/var/cpanel/cwaf/rules/23_SQL_SQLi.conf"] [line "18"] [id "211540"] [rev "5"] [msg "COMODO WAF: Blind SQL Injection Attack"] [data "Matched Data: user_password found within ARGS_NAMES:user_password: user_password"] [severity "CRITICAL"] [hostname "www.gamersworlds.com"] [uri "/edit_profile.php"] [unique_id "Vyq-066O77UAACmuJ6UAAAAI"]
0 replies
F
Falk
F
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct

(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
  • Super Admin, joined since
  • Contributed 6,201 posts on the community forums.
  • Started 639 threads in the forums
  • Answered 11 questions
answered
Super Admin

There are no known critical security issues in v7, that is an automated script going bad. Unless you have an trojan on your site that can manipulate the file on demand. An ordinary scan should find it. Sometimes they can embed in images. But I doubt that is the case.
0 replies
W
Wanabo
W
Wanabo 10
www.probemyip.com/probe-my-ip-80x15.png
 pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
  • Senior Member, joined since
  • Contributed 598 posts on the community forums.
  • Started 94 threads in the forums
answered
Senior Member

If it is mod_security then whitelist your own ip.
/etc/httpd/modsecurity-crs/modsecurity_crs_10_setup.conf
At the bottom add:
Code Download source
SecRule REMOTE_ADDR "^xxx.xxx.xxx.xxxq$" phase:1,nolog,allow,ctl:ruleEngine=Off,id:999941

Where xxx is your own ip address

The above works with the OWASP security rules. I did used the Comodo rules once, but I'm not familiar with it.
If you get an id error, choose an other id number.

Or disable temporarely mod_security to see if this is the problem.
/etc/httpd/conf/modsecurity.conf
Code Download source
#SecRuleEngine DetectionOnly
SecRuleEngine On


Change SecRuleEngine On to SecRuleEngine DetectionOnly

Edit: don't forget to restart httpd, so your edited mod_security rules are loaded.
0 replies
C
Chan
C
Chan 0
Lead Developer of PHP-Fusion
  • Super Admin, joined since
  • Contributed 3,841 posts on the community forums.
  • Started 232 threads in the forums
  • Answered 6 questions
answered
Super Admin

If your codes for edit_profile.php is 'original' untouched, please deprecate your user fields made by all 3rd parties.

Contact a paid developer to look at them before using 3rd party codes, usually free things may come with harmful things when there are no intellectual property to benefit or protect. Vulnerabilities always increments, and therefore development is needed, hence patches. Fact is the version 7 has not been patched for ages, and you use it as-is.

Please have a look at PF 9 if you can, and although it's not branded as stable as yet, and still having 'known' issues undiscovered yet, it's still built on latest php codings and is a lot more superior in terms of security standards and development flexibility. Therefore, if the mindset is "let me wait until it is stable" , I hope you can rethink.

Fact is, everyone knows we had built PF 9 on-top of a stable Version 7, and there had been thousands of issues fixed till now, and some of these originating from our attempt to optimizing the codes of the Version 7. If there are known issues, they are vividly traceable in Github, and developers all over the world can identify and fix at any point of time. When they do, it's only re-upload the affected patched files.

Therefore, it's my preferred system at the moment. It's 'active' in the very least.

Regards.
Edited by Chan on 17-05-2016 11:54,
0 replies

Category Forum

Suspected Bugs and Errors - 8

Labels

None yet

Statistics

  • Views 0 views
  • Posts 9 posts
  • Votes 0 votes
  • Topic users 4 members

4 participants

F
F
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct

(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
  • Super Admin, joined since
  • Contributed 6,201 posts on the community forums.
  • Started 639 threads in the forums
  • Answered 11 questions
S
S
subodh 10
I am learner keen to learn more.
---------------------------------------------------------

Gamers Worlds : The Worlds Of Gamers
  • Junior Member, joined since
  • Contributed 46 posts on the community forums.
  • Started 25 threads in the forums
  • Started this discussions
W
W
Wanabo 10
www.probemyip.com/probe-my-ip-80x15.png
 pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
  • Senior Member, joined since
  • Contributed 598 posts on the community forums.
  • Started 94 threads in the forums
C
C
Chan 0
Lead Developer of PHP-Fusion
  • Super Admin, joined since
  • Contributed 3,841 posts on the community forums.
  • Started 232 threads in the forums
  • Answered 6 questions

Notifications

Track thread

You are not receiving notifications from this thread.

Related Questions

Not yet