- This takes me back. In the 90s there wasn't exactly a lot of web app programming going on, and it was hard to find a web host willing to let you run scripts through CGI. This was my first introduction to perl and the idea of dynamically building web pages. I adapted WWWBoard into a web chat that was "real time" using html refresh tags. Really inspired the rest of my career. Was for lots of people.
Not sure how I feel about the author trying to use Matt's Script Archive's bugginess and popularity to make a point about vulnerabilities and vibe coding. The web was simply just a very different place back then. Even viruses were more about hackers showing off their skills than the industral malware complex we have today. Bots weren't scanning the whole web for wp-admin.php. No one was really entering credit cards on web pages. If your site got hacked, it got graffiti'd and it was embarrassing, but no one used it to hawk bitcoin.
Likening vibe apps to WWWBoard is simply ignoring the climate and times each are a part of.
- >> No one was really entering credit cards on web pages.
Any webpage that needed a credit card number we would use a generator which worked about 50% of the time
- formmail.pl transformed my life.
I was tinkering with making websites for the band I was in (learned html through htmlgoodies.com) but I needed a contact form. I'd never really touched a computer before and I expected formmail to be some wall of incomprehensible binary. I was amazed when I opened it and found plain english.
It was the moment I stopped being a drummer and started being a web developer. That was 1999. I've never stopped writing code since.
Magical.
- I remember Matt’s Scripts Archive as an absolute gold mine for learning how to make web applications through example in the pre-PHP days, which was pretty challenging when all you had to work with is CGI and maybe SSI if your hosting provider was particularly advanced. It’s what got me started as a web application developer 30+ years ago. I guess I probably learned about security the hard way by following his examples. But it got me headed broadly in the right direction I think.
I remember being very proud of how I extended his forum software to support threaded messaging and pagination.
- This is the big thing for me as well. Just having a source for code to show me how to do certain things was absolutely huge. I don't think I even used his code as-is hardly at all. It was part of the View Source way a lot of us learned to code.
- Working for an ISP in the mid 00s, the lack of security of those scripts was an absolute nightmare. It was a routine task to have to go clean up the mess they made, everything from simple "Being used to relay spam" on up.
- About once a week: "Why is our outbound bandwidth saturated? Oh, look! A new FormMail exploit!"
I think my all-time favorite was an SMTP injection. I don't remember the exact details, but it was pretty close to this:
* The script accepted a form POST and decoded it.
* It opened a pipe to sendmail.
* It wrote the expected SMTP headers to sendmail's stdin.
* Then it wrote the decoded POST body as-is into sendmail's stdin.
Thing is, that method used in-band signaling. This is the part I forget exactly, but you could send in the POST body:
That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.Blah blah . To: [1,000 email addresses] From: root@localhost Subject: LOL spam Haha suckersWe learned that one the fun way.
- Haha, that was the ultimate test. Is my terminal suddenly laggy? OK, we got hacked again.
- We simply banned them.
If I recall correctly, they were explicitly mentioned in our t&cs, and we had a filter on our ftp server which would quarantine them & email an explanation to the uploader.
For FormMail, we automatically substituted the London.pm nms drop-in compatible version (mentioned in the article). For the others, we provided a link to the nms versions and had our support team reach out and offer assistance with converting their site to use them.
It saved us endless trouble - the MSA FormMail was responsible for so much spam in the 2000 - 2002 period.
- This is a really interesting point I think needs more discussion:
> The site Wright built, Matt’s Script Archive, unwittingly helped to highlight the divergence between how normal people think about software, and the developer’s perspective.
Because I've been in a lot of communities where buggy, poorly coded tools and resources became incredibly popular (to the dire of more professional/skill programmers), simply because they solved a need that wasn't being addressed elsewhere.
For example, I was in an old school modding community where a certain user had released dozens of resources recreating characters and elements from other games. On a technical level, these were absolutely awful. The code was a Frankenstein's monster style mishmash of code from other resources that was edited just enough to get it to work, the behaviour was often buggy or incredibly basic compared to the material that inspired it, and everything was woefully inefficient, with ten times more code than there needed to be. Every skilled programmer in the community hated this guy and his work, and even today he's seen as a source of mockery.
But said resources were also incredibly popular. The more skilled developers in said community hadn't coded their own versions of these resources, and alternatives to them were often few and far between. So, while the quality of the resources was terrible on a technical level, they filled a real user need.
If a well made solution to a problem doesn't exist, people will use whatever does, no matter how shoddy it might be.
On a more Script Archive related note, I also remember these scripts being recommended a lot in web development tutorials of the day. I never used them myself (since by the time I found real hosting services for my sites, things like PHP and MySQL had become the default online), but they were everywhere in the early days of the web.
- There should be a historic websites society, like the historic places societies we have that preserve and mark certain areas with information about them.
- htmlgoodies.com should be on the list. The brown version with the curvy design when it was Joe Burns Ph.D running it.
https://web.archive.org/web/19990302022344/http://www.htmlgo...
- God I remember this site. I think it was the main resource I used when learning web development in the day, alongside a few physical books here and there.
- and the table based approached stayed pretty relevant for email marketing because it took a LONG time for email clients to drop the table based approach.
- Shout out to "Not Matt's Scripts" https://nms-cgi.sourceforge.net , which attempted to rewrite the most popular of these scripts in a more secure way.
- Deploying and tinkering with Matt's scripts was a very formative exercise in my early teenage years. I rememher offering public FormMail and guestbook hosting services (on underlying10MB shared hosting plans!)
- I totally remember this site...there were a bunch of themed collection sites of various scripts back then. I'd definitely say this is on the same timeline as dockerhub, npm.org and pypi or at that time, cpan (which still exists of course).
- A blast from the past. I used his scripts for sending email from forms. The internet was a very nice place back then.
- Reminds me of my first websites. I had a book with HTML tags and I tried to add a form with a submit button. It didn’t work, I had no backend, I don’t think I had a concept of what a backend was at that point. I’m not even sure what I expected to happen with that form.
- My favorite prank to do on wwwboard was to put in a space for subject, then your post was unclickable.
