Webmin has it’s own built-in web client. It reports itself as “Webmin” in the User Agent field. I’m not sure how mod_security would determine a threat based on just the agent…but I suppose it might try. I’m actually kinda curious why mod_security would block text-based clients…that rules out all blind users using page readers, in addition to folks in limited environments (some cell phones, etc.).
Anyway, I’m not sure how to convince mod_security to let Webmin talk, but I’ll try to find some time to play with mod_security in the near future. A few people have asked about it…I’m not convinced it’s a good idea for the vast majority of users, because it introduces its own large set of problems (including a spotty security history of its own) and usually requires customization to actually be of help in securing the packages actually in use without breaking them. But, the SQL injection protection for PHP scripts is pretty cool, if it actually works. It’s a hard call.