Hey Ben,
Do you have control of the ModSecurity rule configs or is this an issue on another site?  If it is the former, you may want to add an exception for that rule so that it doesn't trigger on that parameter value.

See steps here - http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

If that does not work well enough for you, you might consider disabling that rule entirely with SecRuleRemovebyId 950911

We currently have two rules for HTTP Response Splitting Attacks and 950910 is actually stronger.

Hope this helps.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: Ben Marks <ben@blueacorn.com>
Date: Monday, October 29, 2012 4:38 PM
To: "mod-security-report-false-positives@lists.sourceforge.net" <mod-security-report-false-positives@lists.sourceforge.net>
Subject: [Mod-security-report-false-positives] Field submitted with both http and meta tag triggers false positive

Ref: https://twitter.com/benmarks/status/262957887192715265/photo/1/large

For the rule (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b), any submitted data with the basic pattern...

https <meta

...will trigger a positive result.

Based on the generality of the regex involved, I'm not sure there is a way around this issue, but here's the business use: in Magento, and likely in other Web apps with CMS or CMS apps, there is a field for adding miscellaneous content to the <head>. It is not uncommon for admin users of the GUI to add Google site verification meta or possibly other HTML meta data using this field, along with miscellaneous third-party javascript sources.

Please let me know if more information is needed or if I have missed any requirements necessary for this list.

Regards,
Ben Marks
Senior Developer, Blue Acorn http://www.blueacorn.com






This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.