I recently discovered a bug in YaBB whilst locking down a customers server.

YaBB has fairly crude regex matches for /^IIS/ coded into it, they are there so that the scripts don't output malformed headers on Windows systems.

Generally as a rule (Wherever possible) I tend to hide version numbers of all core daemons running on any public facing machine - or spoof them.

In this example I had configured apache on a customers server to return Microsoft-IIS/5.0 as its ServerTokens string (Ok not a major means of security - but every little helps) I then ended up with phone calls complaining of YaBB installs throwing 500 errors.

Because of YaBB's crude regex's it was throwing malformed (retarded) windows HTTP headers. So I decided to report it as a bug with YaBB's developers - baring in mind, I don't use YaBB and am not exactly a perl developer (although if I can work it out, how hard can it be!).

I can't say I was overly impressed with the response, I was told to comment out the IIS specific code rather than them fix it. (Great, thanks guys!).

I then politely posted back that it might be a wise idea to check the platform as well as the HTTP daemon (as quite obviously IIS doesn't run (well not stable anyway - good ole' wine) on anything other than windows.

I haven't yet had a response on that, and I know it isn't exactly a critical bug, so I posted it here just as a headsup for anyone that encounters the same issue.

The thread is here on YaBB's community forum if anyone is interested.