Error 403: Forbiddenupdating a profile

[alpo56]

Hi,
I have 1.5.3 version installed, and the problem I have is that when upgrading any user (password, time zone, etc ...) I get this error.
Searching in the forum, one saw the same thing had happened and that was the mod_security. I contacted the hosting and they swich off it (or so they say).
If the mod security is disabled, what else could it be?
As I make sure that is disabled?

Thanks

[Pet]

You can make sure mod security is disabled by running phpinfo. To do that, create a plain text file called whatever you want, ie phpinfo.php with the following line:

Code: [Select]

<?php phpinfo() ?>
Upload it to the root of your site, then in a browser run http://yoursite/phpinfo.php

To confirm that the mod_security module is installed on your server, open your PHP Info page, scroll down and find the heading "Loaded Modules" and see if "mod_security" is in the list. If you can't find a "loaded modules" section then just search for mod_security.

[alpo56]

Ok, thanks

[Niels]

Any Idea where I would set mod_security to the new mod_security2 ?
that seems to be the problem with me.

[gwest39]

I am using version 1.7.2 and I get a 403 Forbidden error whenever trying to update a user profile or password. I can upload an avatar and edit permissions for a user just fine. After looking into it I was able to determine that the problem has something to do with "redirect_to" in the "fengoffice\application\controllers\AccountController.class.php" file. After setting "redirect_to" to "null" under both the "edit_profile" and "edit_password" functions the problem went away.

Code: [Select]

tpl_assign('redirect_to', $redirect_to);

Was changed to:

Code: [Select]

tpl_assign('redirect_to', null);

I'm not sure if this is just a problem on our system for some reason or why without the "redirect_to" you don't get a 403 Forbidden error. When pasting the URL from the <form> action attribute from the page source directly in my web browser I also get a 403 error. When I delete the "&redirect_to=..." part from the URL the error goes away. This is the URL I had under the action attribute in the <form> element that caused the error (I only changed the domain to www.mydomain.com):

http://www.mydomain.com/fengoffice/index.php?c=account&amp;a=edit_password&amp;id=2&amp;redirect_to=http%3A%2F%2Fwww.mydomain.com%2Ffengoffice%2Findex.php%3Fc%3Duser%26a%3Dcard%26id%3D2

I attached the modified "AccountController.class.php" file (from Feng Office version 1.7.2) for reference. (You need to be logged in to download the file and then remove the .txt extension from the file name after downloading.)