Its clear to me now. So you say it's a 'feature' of Hiawatha?
I just simulated a server exploit by placing a symbolic link in the websiteroot to /etc. Now I can read and/or write every system configuration file (worldwide readable and/or writable files, and without using the FL Security System, chroot, grsec and containerization features of Fortress Linux).
And yes, after adding .hiawatha (containing "deny all") to my /etc directory it avoids any writing, editing and listing in /etc. Would it not be wiser to deny any reading/writing/listing (outside the webroot) by default?
Luckily this exploit is normaly prevented by the Fortress Linux Security system, but this could be an serious exploit possibility for every default Ubuntu, Debian, Suse, Slackware, Fedora etc. installation.
I though that preventing any possible (stack) exploitation should be the default behaviour of a secure webserver?