httpd log directory permissions allow symlink attacks
When the "high" security level is selected, the httpd log directory is owned by the client web user:
$this->_exec('chown '.$username.':'.groupname.' '.escapeshellcmd(
data['new']['document_root'].'/log'));
(this actually changes ownership of the /var/log/ispconfig/httpd/$vhost directory through the "log" symlink).
This means that the client can remove the current access-*.log or error.log file and replace it with a symlink to any file on the system, then wait for httpd restart (or even trigger it by changing something in the control panel), then apache or vlogger would write through the symlink with root permissions.
To avoid such attacks all intermediate directories in the log file path must be owned by root and not writable by anyone else; this is actually mentioned in Apache docs:
http://httpd.apache.org/docs/2.2/logs.html#security
Read access to logs may be managed using group read permissions (although currently there are no attempts to prevent read access - any client can read logs for any site on the same server).