For the record, this issue was slashdoted yesterday: http://apache.slashdot.org/story/16/01/30/1825256/sensitive-information-can-be-revealed-from-tor-hidden-services-on-apache