thank you for posting the information about the exploit.
First, i think this exploit will not affect any ISPConfig installation.
The Exploit tries to reach the file session.inc.php in a browser.
This is impossible because the file is not inside the web root.
The web root in every ISPConfig installation is:
The session.inc.php is located in:
You can try this with your ISPCOnfig installation:
You will get an 404 page not found error.
Nevertheless, we will add some code to the session.inc.php file
to prevent remote code inclusions even when the file is copied
inside the web root.
If you feel insecure until we release the update, you may add this
line as second line to the session.inc.php file:
Please send security related informations about ISPConfig first to
dev [at] ispconfig [dot] org and give the development team some time
to review them and relaese a patch if nescessary before you post them
to the forum.