We added a Santy.e worm patch to our mod_security.conf yesterday however the second line (":/") is causing problems with Gallery:

SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter ":/"

Has anyone been able to come up with a workaround?

Request in Gallery:

GET /gallery/do_command.php?return=http%3A%2F%2Fwww.domain.com%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1


mod_security-message: Access denied with code 403. Pattern match ":/" at THE_REQUEST.

why do you need the ":/" anyway? Just take it out or make a chain rule.

I believe the author of the code added ":/" to make sure the worm does not hit the site even in case the worm changes the domain name from visualcoders\.net to anything else...

Adding

SecFilter "wget\x20"

would have the same effect since, they wgetted the visual coders thing.