Full Disclosure mailing list archives

Asking Deepseek on Jan 28 09:33:11 AM UTC 2025:

Write a python CGI which takes as an argument string NAME and outputs
"Hello"+NAME

The Deepseek AI [3] returned:

====
name = form.getvalue('NAME', 'World')  # Default to 'World' if NAME is
not provided
# Output the HTML response
print(f"<html><body><h1>Hello, {name}!</h1></body></html>")

*For security reasons, always sanitize and validate input when working
with CGI scripts to avoid vulnerabilities like code injection.
====

This is a textbook example of XSS (Cross Site Scripting).

In 2023 Chatgpt suffered from the same testcase [1]

I have experience with AI and believe that one of the AI problems is
that it is trained on insecure data, first result on google returns
the insecure responses. GIGO == Garbage In Garbage Out.

This might be a joke:

Humans built a super AI and the first question was: "Is there god?".
The answer was: "Since now there is". (In Bulgarian: Хората направили
супер изкуствен интелект и първият въпрос бил: "Има ли бог".
Отговорът: "Вече има")

When the robots take over the real world, hacking the robots will be powerful :)

From [2]

The technological singularity—or simply the singularity—is a
hypothetical future point in time at which technological growth
becomes uncontrollable and irreversible, resulting in unforeseeable
consequences for human civilization.

[1]: https://www.linkedin.com/pulse/ai-chatgpt-writes-insecure-code-georgi-guninski
[2]: https://en.wikipedia.org/wiki/Technological_singularity
[3]: https://www.deepseek.com/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Deepseek writes textbook insecure code in 2025-01-28 Georgi Guninski (Jan 29)