OK thanks for all the replies. I've done the mod_security change and it's all working, and Nick J has a new ticket with some details.
Presumably every webhost is going to get this trouble with phpBB 3? I guess this is a simplistic analysis but if so why doesn't phpBB make the necessary information available for webhosts to update their security rules?
p.s. Thomas thanks for the warning - I'm just using it to test and compare with another messageboard
