Hire
Blog Sections Open

Understanding the index-ajax.php LFI Risk in Legacy Evolution CMS

A security-oriented legacy note on why index-ajax.php was risky, how local file inclusion could happen, and why inherited projects should review this area carefully.

Old Evolution CMS sites sometimes exposed more of their internal surface than expected through index-ajax.php. the article documented why this was dangerous and how local file inclusion risks could appear in real projects.

The core problem

The handler accepted a file path from the request, sanitized it loosely, resolved it, and then included a PHP file from the snippets area. That created a path where unexpected files could be loaded under the wrong conditions.

if ($axhandler = (strtoupper($_SERVER['REQUEST_METHOD'])=='GET') ? $_GET['q'] : $_POST['q']) {
    $axhandler = preg_replace('/[^A-Za-z0-9_\-\.\/]/', '', $axhandler);
    $axhandler = realpath($axhandler) or die();
    ...
    include_once($axhandler);
}

Why this matters

  • legacy helper entry points often become security liabilities over time
  • projects assume a script is only used by one extra, but the include surface is broader
  • old sites may still contain this behavior years after the original discussion

If you maintain an inherited Evolution CMS project, review old AJAX entry points first. Small utility loaders can create bigger security problems than the visible frontend ever suggests.

Newer post

Giving phpThumb Preview Files Readable SEO-Friendly Names

A practical image-generation tweak for teams that want cache thumbnails to use readable filenames instead of opaque hashes.
Older post

Keeping Evo-Style Friendly URLs When Aliases Are Missing

A URL strategy note for projects that want aliases where available but still fall back to numeric IDs, especially after importing older content.