Quick update,
Note: I was wrong about changing the mod_security option in your .htaccess file. As yes, at some hosts it does work and at others though, they may have that ability turned off at the web server level. So just depends on your host, whether you can do that or not.
And I did get this to work, by sticking to it. =) I put it into a container and whitelisted one of the mod_security rules, oddly enough it was like rule 12344321 or something like that. Don’t quote me on the rule number, though there are quite a few. Phew! =)
Once I did that, I then did a quick check of the piwik system by first renaming the config.ini.php to config.old.php and then using the install checklist found on the second page of the piwik install to check on everything for me.
When everything checked out I then renamed the config file back to config.ini.php and everything worked. Stuff started showing up. Woot! =)
The problem here seems to be, but don’t quote me on this, that the newest form of mod_security doesn’t like urls or even encoded urls passed in the querystring as parameters. Because sometimes they can be run/eval’d by the system unknowingly and the encoding then doesn’t protect. At least this seems to be the case. The short term fix is to whitelist the new mod_security rule/turn it off and to apply a rider to programatically reformat/substitute areas in the url parameter that piwik passes as part of it’s querystring into something less threatening like an array or a substitution and then piece it back together wherever needed.
As the creator says, you may need to talk to your host to get them to do the above for you.
Possibly the long term though fix for piwik, so they can stop worrying about getting any more mod_security errors, because they aren’t going away, may be to change the piwik code to either serialize the url parameter found in the piwik querystring, or send it as an array or to use a substitution or just not to use a full fledged url as a parameter, but instead to chop it up into reconstitutable pieces. This definitely seems like something that can be fixed.
Hope this helps somebody, hang in there, there is a fix, just not an easy one. =)
Best,
-C
P.s. Thanks for putting the time into some great software, if you could now just fix this mod_security burp you’d be golden. =)