Hi there,

This tripped me up today so thought I shoud add it.

ModSec rule 981248 contained in CRS base rules modsecurity_crs_41_sql_injection_attacks will cause RC to break as shown below.

[Thu Nov 03 15:57:49 2011] [error] [client 82.173.139.52] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s ..." at REQUEST_COOKIES:roundcube_sessid. [file "/modsec/modsec-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "7or"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [hostname "webmail.example.com"] [uri "/"] [unique_id "TrKr7VjGXw0AABsFSnEAAAAB"]

A work around is to add this to the vhost: SecRuleRemoveById 981248

BR, S