I mean now any web can run an online editor and point it to another web-directory and thus modify other users files, as they are all owned by www-data..
This is the case on all webservers and not specific to ispconfig. there are 2 solutions:
1) enable php safemode.
2) switch from mod_php to suphp