Last week Jimbo did some updates on access controls to protect specific configuration file /admin/settings.config. Jimbo is smart, but it seems some logical issue is mixing something up. From log files some users are still able to access secret file with response code 200. You need to help this guy before he gets fired - only thing Jimbo mentioned is that server_name config is set to jimbo. Try to see if You can get access to that configuration file. Jimbo's site

What do You know about request smuggling?

HTTP request smuggling https://portswigger.net/web-security/request-smuggling