I have some sites that use SSIs for doing virtual and file includes. These work fine under mod_security so long as SecFilterScanOutput is not enabled. As soon as SecFilterScanOutput is 'on' (even with no OUTPUT filters), these SSIs fail to include the appropriate data. I can tell from the error logs that the includes are being processed and the virtual includes are actually being requested through the server (can see debug output from mod_rewrite), but the final results of those includes are never actually included in the output from the server when SecFilterScanOutput is on. Looking at the modsecurity debug output doesnt seem to reveal anything exciting that helps towards solving this problem.
Has anyone experienced this problem? Or have further hints as to what I can look at to resolve this or at least track it down further?