diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index 9c8dc8ef..d97e1d7d 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -289,9 +289,13 @@ class LAMConfig {
 	/**
 	* Loads preferences from config file
 	*
-	* @param integer $file Index number in config file array
+	* @param String $file file name without ".conf" (e.g. lam)
 	*/
-	function __construct($file = 0) {
+	function __construct($file) {
+		if (empty($file) || !preg_match("/^[a-z0-9_-]+$/i", $file)) {
+			logNewMessage('ERROR', 'Invalid config file name: ' . $file);
+			die();
+		}
 		// load first profile if none is given
 		if (!is_string($file)) {
 			$profiles = getConfigProfiles();
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index dc769bef..0d73606d 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -90,7 +90,7 @@ function checkClientIP() {
 	$grantAccess = false;
 	for ($i = 0; $i < sizeof($allowedHosts); $i++) {
 		$host = $allowedHosts[$i];
-		$ipRegex = '/^[0-9\\.\\*]+$/';
+		$ipRegex = '/^[0-9a-z\\.:\\*]+$/i';
 		if (!preg_match($ipRegex, $host)) continue;
 		$hostRegex = str_replace(".", "\\.", $host);
 		$hostRegex = '/^' . str_replace("*", ".*", $hostRegex) . '$/';
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index 3d083295..08f9b58b 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -434,10 +434,10 @@ function checkInput() {
 	if (isLAMProVersion()) {
 		$conf->setAccessLevel($_POST['accessLevel']);
 		if (!$conf->setLamProMailFrom($_POST['pwdResetMail_from'])) {
-			$errors[] = array("ERROR", _("From address for password mails is invalid."), $_POST['pwdResetMail_from']);
+			$errors[] = array("ERROR", _("From address for password mails is invalid."), htmlspecialchars($_POST['pwdResetMail_from']));
 		}
 		if (!$conf->setLamProMailReplyTo($_POST['pwdResetMail_replyTo'])) {
-			$errors[] = array("ERROR", _("Reply-to address for password mails is invalid."), $_POST['pwdResetMail_replyTo']);
+			$errors[] = array("ERROR", _("Reply-to address for password mails is invalid."), htmlspecialchars($_POST['pwdResetMail_replyTo']));
 		}
 		$conf->setLamProMailSubject($_POST['pwdResetMail_subject']);
 		if (isset($_POST['pwdResetMail_isHTML']) && ($_POST['pwdResetMail_isHTML'] == 'on')) {
diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php
index 2f3ad688..7f0b60eb 100644
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@@ -90,9 +90,9 @@ if (isset($_POST['submit'])) {
 				continue;
 			}
 			// check each line
-			$ipRegex = '/^[0-9\\.\\*]+$/';
+			$ipRegex = '/^[0-9a-f\\.:\\*]+$/i';
 			if (!preg_match($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) {
-				$errors[] = sprintf(_("The IP address %s is invalid!"), str_replace('%', '%%', $allowedHostsList[$i]));
+				$errors[] = sprintf(_("The IP address %s is invalid!"), htmlspecialchars(str_replace('%', '%%', $allowedHostsList[$i])));
 			}
 		}
 		$allowedHosts = implode(",", $allowedHostsList);
diff --git a/lam/templates/config/profmanage.php b/lam/templates/config/profmanage.php
index c9e4d819..7c355517 100644
--- a/lam/templates/config/profmanage.php
+++ b/lam/templates/config/profmanage.php
@@ -109,22 +109,28 @@ if (isset($_POST['action'])) {
 	}
 	// set new profile password
 	elseif ($_POST['action'] == "setpass") {
-		if ($_POST['setpassword'] && $_POST['setpassword2'] && ($_POST['setpassword'] == $_POST['setpassword2'])) {
-			$config = new LAMConfig($_POST['setprofile']);
-			$config->set_Passwd($_POST['setpassword']);
-			$config->save();
-			$config = null;
-			$msg = _("New password set successfully.");
+		if (preg_match("/^[a-z0-9_-]+$/i", $_POST['setprofile'])) {
+			if ($_POST['setpassword'] && $_POST['setpassword2'] && ($_POST['setpassword'] == $_POST['setpassword2'])) {
+				$config = new LAMConfig($_POST['setprofile']);
+				$config->set_Passwd($_POST['setpassword']);
+				$config->save();
+				$config = null;
+				$msg = _("New password set successfully.");
+			}
+			else $error = _("Profile passwords are different or empty!");
 		}
-		else $error = _("Profile passwords are different or empty!");
+		else $error = _("Profile name is invalid!");
 	}
 	// set default profile
 	elseif ($_POST['action'] == "setdefault") {
-		$configMain = new LAMCfgMain();
-		$configMain->default = $_POST['defaultfilename'];
-		$configMain->save();
-		$configMain = null;
-		$msg = _("New default profile set successfully.");
+		if (preg_match("/^[a-z0-9_-]+$/i", $_POST['defaultfilename'])) {
+			$configMain = new LAMCfgMain();
+			$configMain->default = $_POST['defaultfilename'];
+			$configMain->save();
+			$configMain = null;
+			$msg = _("New default profile set successfully.");
+		}
+		else $error = _("Profile name is invalid!");
 	}
 }