pumpernikel

Temporary disable mod_security2 in virtual host section in httpd.conf

<VirtualHost my_host>
    SecRuleInheritance Off
    ....
</VirtualHost>

I have this messages in Apache error_log

[08/Jun/2007:00:38:54 +0400] [n.n.n.n/sid#8007cc48][rid#80535f38][/wp-admin/index-extra.php][1] Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"]
[08/Jun/2007:00:39:10 +0400] [n.n.n.n/sid#8007cc48][rid#80336da8][/wp-admin/admin-ajax.php][1] Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"]

and in modsecure_debug.log

[08/Jun/2007:00:38:54 +0400] [n.n.n.n/sid#8007cc48][rid#80535f38][/wp-admin/index-extra.php][1] Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"]
[08/Jun/2007:00:39:10 +0400] [n.n.n.n/sid#8007cc48][rid#80336da8][/wp-admin/admin-ajax.php][1] Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"]
[08/Jun/2007:00:40:06 +0400] [n.n.n.n/sid#8007cc48][rid#80537f40][/wp-admin/theme-editor.php][2] Warning. Pattern match "(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\\W*?=|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\\b\\W*? ..." at ARGS:newcontent. [id "950004"] [msg "Cross-site Scripting (XSS) Attack. Matched signature <<script>"] [severity "CRITICAL"]
[08/Jun/2007:00:40:06 +0400] [n.n.n.n/sid#8007cc48][rid#80537f40][/wp-admin/theme-editor.php][1] Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at ARGS:newcontent. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"]

Fedora, Apache/2.2.x with mod_security2 module

Possible problem in Apache mod_security2.c module, rules too strong.