Found this a little while back: Bozo will expose .htpasswd files.
Test Case:
printf 'user:'`pwhash pass`'\n' >/var/www/.htpasswd
Enter 'user' for the username and 'pass' for the password
You should then see the contents of the .htpasswd file
I don't see any code preventing the exposure of the file
I believe this file should be "forbidden" (whatever the error code is (403?)).
It looks to me like the fix should go somewhere around bozo_process_request, but I'm still digging...
JP