Hi there, This tripped me up today so thought I shoud add it.
ModSec rule 981248 contained in CRS base rules modsecurity_crs_41_sql_injection_attacks will cause RC to break as shown below. [Thu Nov 03 15:57:49 2011] [error] [client 82.173.139.52] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*\\\\(\\\\s*select)|(?:\\\\d+\\\\s*x?or|div|like|between|and\\\\s*\\\\d+\\\\s*[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*(?:drop|alter))|(?:(?:;|#|--)\\\\s*(?:update|insert)\\\\s ..." at REQUEST_COOKIES:roundcube_sessid. [file "/modsec/modsec-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "7or"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [hostname "webmail.example.com"] [uri "/"] [unique_id "TrKr7VjGXw0AABsFSnEAAAAB"] A work around is to add this to the vhost: SecRuleRemoveById 981248 BR, S -- List info: http://lists.roundcube.net/users/ BT/8f4f07cd
