Stefan Arentz has discovered a security hole in Apache which affects Mac OS X Clients serving pages off of HFS+ formatted volumes and using .htaccess for protecting directories. Since HFS+ doesn't care about capitalization, but Apache does, you can access a protected directory (say "test") by using a version with capitalization ("tEsT"). Apache won't see this as a request for a protected directory, and HFS+ will return the file, since it doesn't care about the capitalization. Instant password protection workaround.
Stefan has posted a thorough description of the bug on SecurityFocus; check out the article for more information, along with a suggested workaround until Apple releases a patch of some sort (if they do).
If you are serving pages from an HFS+ disk, protected with .htaccess files on your OS X client box, this article and workaround are a must read!
Mac OS X Hints
http://hints.macworld.com/article.php?story=20010612193021334