The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.
You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.
you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...
An this has still nothing to do with ISPConfig as _X_ explained above. You are just saying that a hacker script that you uploaded to a php webspace is working, ispconfig is not envolved in executing that script at all.
So, back to your original problem. If you want to prevent that a php script accesses the whole folder, you can do several things:
1) activate php safemode for the website.
2) update your php to the latest version.
3) Deactivate potential harmful functions in your php.ini lieke exec, passthru etc.
4) install security extensions for apache like mod_security
5) install suhosin for php.