Directory Indexes appear to be left authorized on /var/www by ISPConfig default installation. In some circomstances, the "Shared-IP" page is not displayed when accessing the server with an IP address which is not bind to any site, and the full directory tree is browseable instead...

See also:
http://www.howtoforge.com/forums/showthread.php?p=51802

Workaround: disable default apache web site, that doesn't appear to be needed (nor managed) by ISPConfig:
a2dissite default
/etc/init.d/apache2 reload

It is not a security flaw in ISPConfig as the default apache site is not used nor managed by ISPConfig. Its more a problem of the general apache setup.

OK, I understand this, however, when installing ISPConfig, one may think that the full config of managed services is taken care of. There should be at least some warning about apache default site during the install process / instructions about removing it in the "Perfect Server" guides...