Turning mod_security completely off for an upload script scares me. I had to do that for my plugin because most people don't have mod_security, but for those of you with mod_security you might want to consider some type of access control.
Instead I would leave it on for everyone except me, and keep it on for everyone else. But actually if I was having this problem I would go and turn on debugging to find out the security rule causing this false positive and just fix that.
SetEnvIfNoCase Remote_Addr ^208\.113\.183\.103$ MODSEC_ENABLE=Off
Which isn't a bad thing, just some unfinished action-script programming for the flash developer. So sounds like you guys are having a different problem than a HTTP Basic authentication one, so my guess is the flash app is using some sort of suspicious looking request in its communication with the server.
You can easily find out exactly what is triggering the mod_security rule by turning on logging. I blogged in some detail about how to do that on DreamHost.