Such files are hidden files in linux, by convention, and security-sensitive files (.htaccess
and .htpasswd
in particular) begin with .
. Additionally, a popular though outmoded exploit once involved putting ..
in paths, and the use of /./
in paths could in some cases be used to foil access rules. For these reasons, most apache configurations tend to deny access to these files and paths.
You should have a rule somewhere that does something along the lines of:
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>
Note that it might look very little like that; it's only an example. Make sure you've covered all the security bases I mentioned earlier, and then get rid of that rule, or scope it appropriately.
By far the easier, safer, and more standard thing to do would be to amend your directory structure and/or application to not require pathnames with elements that have a leading .
.