Claude and Fixinator - a great team
This blog was built using Claude prompts. After it was finished, the ColdFusion security checker Fixinator was run against the 27 files in the project. The command in Fixinator was fixinator engines=adobe resultFormat=pdf,json resultFile=fixinatorReport.pdf, fixinatorReport.json ignoreExtensions=xls,xlsx,pdf,msg,mdb confidence=low Then Claude prompt "read fixinatorreport.json" was executed using the CLI in Powershell
Fixinator Security Remediation Report
S&R Tech Group Blog — ColdFusion Application
Files Modified
| File | Findings Fixed | Categories |
|---|---|---|
post.cfm |
1 | SQL Injection |
includes/header.cfm |
7 | XSS Unscoped Variable SRI Crossorigin |
includes/footer.cfm |
5 | XSS Unscoped Variable SRI Crossorigin |
admin/post-list.cfm |
7 | Reverse Tabnabbing SRI Crossorigin |
admin/comments.cfm |
6 | SRI Crossorigin |
admin/post-editor.cfm |
2 | SRI Crossorigin |
post-editor.cfm |
2 | SRI Crossorigin |
Application.cfc |
2 | SRI Crossorigin |
admin/Application.cfc |
2 | SRI Crossorigin |
mnt/user-data/outputs/blog/admin/Application.cfc |
2 | SRI Crossorigin |
High SQL Injection
File: post.cfm : line 177
Issue: A variable (#parentID#) was interpolated directly into a SQL statement without parameterization. Even though this is a Query-of-Queries (QoQ) operating on an in-memory recordset, unparameterized variables in SQL are flagged as injection risks and should always use .
Fix: Wrapped the variable with using cfsqltype="cf_sql_integer".
SELECT * FROM qComments WHERE parent_id = #parentID#
SELECT * FROM qComments WHERE parent_id =
Comments (0)
No comments yet. Be the first to share your thoughts!
You must be logged in with a verified email to post comments.
Log In Register