Information disclosure on mod_auth ( apache 1.3.26 ) ?

["Hector A. Paterno" <apaterno () dsnargentina com ar>]

Hi, I have found  a discrepancy between mod_auth and ServerTokens Prod.
 
Using, openbsd CURRENT , apache 1.3.26, as the example:
 
I add the following line to the httpd.conf file :

ServerTokens Prod
 
So, when I try to get the version/modules of apache with the HEAD
method, I obtain as a reply only the type of the server :
 
 HEAD / HTTP/1.0\r\n\r\n
 
[info]
Server: Apache
[info]
 
But , when I enable mod_auth and try to access the protected directory
with an invalid username / password, I obtain the following errror : 
 
401 Authorization Required
[bleh bleh info]
Apache/1.3.26 Server at xxxxx Port 80
 
Giving me the version of the apache server.
 
I'm not an apache guru, but from from my point of view this seems to be a  
flaw(?) in the mod_auth module.

Comments appreciated.
 
Best Regards.

-- 
Hector A. Paterno
Digital Security Networks S.A.
Mail : apaterno () dsnargentina com ar
Fido : 4:901/343.5
pub  1024D/C1F2348C 2001-12-04 Hector A. Paterno <apaterno () dsnargentina com ar>
Key Fingerprint : D741 154E 5CA0 C446 1A7B 4750 0469 0BEB C1F2 348C
Key ID : 0xC1F2348C ( pgp.mit.edu )