lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAGUWgD8YcHenxzNUd0woT=yVs2jQe0=GGSgYZp8+JkKQsdqw2Q@mail.gmail.com>
Date: Tue, 28 Jan 2025 16:23:28 +0200
From: Georgi Guninski <gguninski@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Deepseek writes textbook insecure code in 2025-01-28

Asking Deepseek on Jan 28 09:33:11 AM UTC 2025:

Write a python CGI which takes as an argument string NAME and outputs
"Hello"+NAME

The Deepseek AI [3] returned:

====
name = form.getvalue('NAME', 'World')  # Default to 'World' if NAME is
not provided
# Output the HTML response
print(f"<html><body><h1>Hello, {name}!</h1></body></html>")

*For security reasons, always sanitize and validate input when working
with CGI scripts to avoid vulnerabilities like code injection.
====

This is a textbook example of XSS (Cross Site Scripting).

In 2023 Chatgpt suffered from the same testcase [1]

I have experience with AI and believe that one of the AI problems is
that it is trained on insecure data, first result on google returns
the insecure responses. GIGO == Garbage In Garbage Out.

This might be a joke:

Humans built a super AI and the first question was: "Is there god?".
The answer was: "Since now there is". (In Bulgarian: Хората направили
супер изкуствен интелект и първият въпрос бил: "Има ли бог".
Отговорът: "Вече има")

When the robots take over the real world, hacking the robots will be powerful :)

From [2]

The technological singularity—or simply the singularity—is a
hypothetical future point in time at which technological growth
becomes uncontrollable and irreversible, resulting in unforeseeable
consequences for human civilization.

[1]: https://www.linkedin.com/pulse/ai-chatgpt-writes-insecure-code-georgi-guninski
[2]: https://en.wikipedia.org/wiki/Technological_singularity
[3]: https://www.deepseek.com/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ