mod_securityにルールをバイパスさせるような脆弱性が存在とのこと。

[Vulnerability Details]

Modsecurity is an Open source Web Application firewall which runs as an Apache
module. It has a comprehensive set of rules called 'ModSecurity Core
Rules' for common web application
attacks like SQL Injection, Cross-Site Scripting etc.

It is possible to bypass the ModSecurity Core Rules due to the
difference in behaviour
of ModSecurity and ASP/ASP.NET applications in handling duplicate
HTTP GET/POST/Cookie
parameters. Using duplicate parameters has been termed as HTTP
Parameter Pollution by Luca Carettoni
and Stefano Di Paola.

When multiple GET/POST/Cookie parameters of the same name are passed
in the HTTP request
to ASP and ASP.NET applications they are treated as an array collection.
This leads to the values being concatenated with a comma inbetween them.

http://www.securityfocus.com/archive/1/504240