session.save_path directory listing possible for everyone
The default permissions for the session.save_path folder for every website (/var/www/<...>/tmp) allow listing of the stored files for everyone. While reading of the files inside is not possible, it still allows session hijacking for unprivileged users on the same web server.
I'm using ISPConfig 3.0.5.4p1 in a multiserver setup with both nginx and Apache servers. PHP is set to PHP-FPM.
The tmp directories should have 0700 permissions to prevent access to the session fields for completely different customers on the server and also access from different websites of the same customer.