I guess is not a http method issue but a regular expresion could it be.
SecRule REQUEST_FILENAME "^/products/.*thumbnail.gif$" "nolog,pass,ctl:RuleRemoveById=990012"
File accesed: /products/6789H-HTM-ENG/thumbnail/thumbnail.gif HTTP/1.1
Why donīt you try to block all *.gif files as a test? In that way you should view if there is a problem with regular expression or by the other hand is a regular expression issues.
Here is a example against file injection with some files and extensions:
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \
SecRule REQUEST_FILENAME "@streq /path/to/file.php" \
Have you tried with @streq?
I guess your rule is not matching correctly the file access but I could be wrong.