Rendered at 14:13:16 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
madrox 12 hours ago [-]
This takes me back. In the 90s there wasn't exactly a lot of web app programming going on, and it was hard to find a web host willing to let you run scripts through CGI. This was my first introduction to perl and the idea of dynamically building web pages. I adapted WWWBoard into a web chat that was "real time" using html refresh tags. Really inspired the rest of my career. Was for lots of people.
Not sure how I feel about the author trying to use Matt's Script Archive's bugginess and popularity to make a point about vulnerabilities and vibe coding. The web was simply just a very different place back then. Even viruses were more about hackers showing off their skills than the industral malware complex we have today. Bots weren't scanning the whole web for wp-admin.php. No one was really entering credit cards on web pages. If your site got hacked, it got graffiti'd and it was embarrassing, but no one used it to hawk bitcoin.
Likening vibe apps to WWWBoard is simply ignoring the climate and times each are a part of.
ed_elliott_asc 6 hours ago [-]
>> No one was really entering credit cards on web pages.
Any webpage that needed a credit card number we would use a generator which worked about 50% of the time
borwick 1 hours ago [-]
Shout out to "Not Matt's Scripts" https://nms-cgi.sourceforge.net , which attempted to rewrite the most popular of these scripts in a more secure way.
jamiecurle 4 hours ago [-]
formmail.pl transformed my life.
I was tinkering with making websites for the band I was in (learned html through htmlgoodies.com) but I needed a contact form. I'd never really touched a computer before and I expected formmail to be some wall of incomprehensible binary. I was amazed when I opened it and found plain english.
It was the moment I stopped being a drummer and started being a web developer. That was 1999. I've never stopped writing code since.
Magical.
Twirrim 12 hours ago [-]
Working for an ISP in the mid 00s, the lack of security of those scripts was an absolute nightmare. It was a routine task to have to go clean up the mess they made, everything from simple "Being used to relay spam" on up.
kstrauser 12 hours ago [-]
About once a week: "Why is our outbound bandwidth saturated? Oh, look! A new FormMail exploit!"
I think my all-time favorite was an SMTP injection. I don't remember the exact details, but it was pretty close to this:
* The script accepted a form POST and decoded it.
* It opened a pipe to sendmail.
* It wrote the expected SMTP headers to sendmail's stdin.
* Then it wrote the decoded POST body as-is into sendmail's stdin.
Thing is, that method used in-band signaling. This is the part I forget exactly, but you could send in the POST body:
That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.
We learned that one the fun way.
qingcharles 10 hours ago [-]
Haha, that was the ultimate test. Is my terminal suddenly laggy? OK, we got hacked again.
roryirvine 4 hours ago [-]
We simply banned them.
If I recall correctly, they were explicitly mentioned in our t&cs, and we had a filter on our ftp server which would quarantine them & email an explanation to the uploader.
For FormMail, we automatically substituted the London.pm nms drop-in compatible version (mentioned in the article). For the others, we provided a link to the nms versions and had our support team reach out and offer assistance with converting their site to use them.
It saved us endless trouble - the MSA FormMail was responsible for so much spam in the 2000 - 2002 period.
CM30 4 hours ago [-]
This is a really interesting point I think needs more discussion:
> The site Wright built, Matt’s Script Archive, unwittingly helped to highlight the divergence between how normal people think about software, and the developer’s perspective.
Because I've been in a lot of communities where buggy, poorly coded tools and resources became incredibly popular (to the dire of more professional/skill programmers), simply because they solved a need that wasn't being addressed elsewhere.
For example, I was in an old school modding community where a certain user had released dozens of resources recreating characters and elements from other games. On a technical level, these were absolutely awful. The code was a Frankenstein's monster style mishmash of code from other resources that was edited just enough to get it to work, the behaviour was often buggy or incredibly basic compared to the material that inspired it, and everything was woefully inefficient, with ten times more code than there needed to be. Every skilled programmer in the community hated this guy and his work, and even today he's seen as a source of mockery.
But said resources were also incredibly popular. The more skilled developers in said community hadn't coded their own versions of these resources, and alternatives to them were often few and far between. So, while the quality of the resources was terrible on a technical level, they filled a real user need.
If a well made solution to a problem doesn't exist, people will use whatever does, no matter how shoddy it might be.
On a more Script Archive related note, I also remember these scripts being recommended a lot in web development tutorials of the day. I never used them myself (since by the time I found real hosting services for my sites, things like PHP and MySQL had become the default online), but they were everywhere in the early days of the web.
arscan 12 hours ago [-]
I remember Matt’s Scripts Archive as an absolute gold mine for learning how to make web applications through example in the pre-PHP days, which was pretty challenging when all you had to work with is CGI and maybe SSI if your hosting provider was particularly advanced. It’s what got me started as a web application developer 30+ years ago. I guess I probably learned about security the hard way by following his examples. But it got me headed broadly in the right direction I think.
I remember being very proud of how I extended his forum software to support threaded messaging and pagination.
tgorgolione 11 hours ago [-]
There should be a historic websites society, like the historic places societies we have that preserve and mark certain areas with information about them.
jamiecurle 4 hours ago [-]
htmlgoodies.com should be on the list. The brown version with the curvy design when it was Joe Burns Ph.D running it.
God I remember this site. I think it was the main resource I used when learning web development in the day, alongside a few physical books here and there.
jamiecurle 2 hours ago [-]
and the table based approached stayed pretty relevant for email marketing because it took a LONG time for email clients to drop the table based approach.
knadh 10 hours ago [-]
Deploying and tinkering with Matt's scripts was a very formative exercise in my early teenage years. I rememher offering public FormMail and guestbook hosting services (on underlying10MB shared hosting plans!)
kristopolous 12 hours ago [-]
I totally remember this site...there were a bunch of themed collection sites of various scripts back then. I'd definitely say this is on the same timeline as dockerhub, npm.org and pypi or at that time, cpan (which still exists of course).
Dwedit 9 hours ago [-]
My favorite prank to do on wwwboard was to put in a space for subject, then your post was unclickable.
tonyoconnell 12 hours ago [-]
A blast from the past. I used his scripts for sending email from forms. The internet was a very nice place back then.
wingerlang 7 hours ago [-]
Reminds me of my first websites. I had a book with HTML tags and I tried to add a form with a submit button. It didn’t work, I had no backend, I don’t think I had a concept of what a backend was at that point. I’m not even sure what I expected to happen with that form.
Not sure how I feel about the author trying to use Matt's Script Archive's bugginess and popularity to make a point about vulnerabilities and vibe coding. The web was simply just a very different place back then. Even viruses were more about hackers showing off their skills than the industral malware complex we have today. Bots weren't scanning the whole web for wp-admin.php. No one was really entering credit cards on web pages. If your site got hacked, it got graffiti'd and it was embarrassing, but no one used it to hawk bitcoin.
Likening vibe apps to WWWBoard is simply ignoring the climate and times each are a part of.
Any webpage that needed a credit card number we would use a generator which worked about 50% of the time
I was tinkering with making websites for the band I was in (learned html through htmlgoodies.com) but I needed a contact form. I'd never really touched a computer before and I expected formmail to be some wall of incomprehensible binary. I was amazed when I opened it and found plain english.
It was the moment I stopped being a drummer and started being a web developer. That was 1999. I've never stopped writing code since.
Magical.
I think my all-time favorite was an SMTP injection. I don't remember the exact details, but it was pretty close to this:
* The script accepted a form POST and decoded it.
* It opened a pipe to sendmail.
* It wrote the expected SMTP headers to sendmail's stdin.
* Then it wrote the decoded POST body as-is into sendmail's stdin.
Thing is, that method used in-band signaling. This is the part I forget exactly, but you could send in the POST body:
That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.We learned that one the fun way.
If I recall correctly, they were explicitly mentioned in our t&cs, and we had a filter on our ftp server which would quarantine them & email an explanation to the uploader.
For FormMail, we automatically substituted the London.pm nms drop-in compatible version (mentioned in the article). For the others, we provided a link to the nms versions and had our support team reach out and offer assistance with converting their site to use them.
It saved us endless trouble - the MSA FormMail was responsible for so much spam in the 2000 - 2002 period.
> The site Wright built, Matt’s Script Archive, unwittingly helped to highlight the divergence between how normal people think about software, and the developer’s perspective.
Because I've been in a lot of communities where buggy, poorly coded tools and resources became incredibly popular (to the dire of more professional/skill programmers), simply because they solved a need that wasn't being addressed elsewhere.
For example, I was in an old school modding community where a certain user had released dozens of resources recreating characters and elements from other games. On a technical level, these were absolutely awful. The code was a Frankenstein's monster style mishmash of code from other resources that was edited just enough to get it to work, the behaviour was often buggy or incredibly basic compared to the material that inspired it, and everything was woefully inefficient, with ten times more code than there needed to be. Every skilled programmer in the community hated this guy and his work, and even today he's seen as a source of mockery.
But said resources were also incredibly popular. The more skilled developers in said community hadn't coded their own versions of these resources, and alternatives to them were often few and far between. So, while the quality of the resources was terrible on a technical level, they filled a real user need.
If a well made solution to a problem doesn't exist, people will use whatever does, no matter how shoddy it might be.
On a more Script Archive related note, I also remember these scripts being recommended a lot in web development tutorials of the day. I never used them myself (since by the time I found real hosting services for my sites, things like PHP and MySQL had become the default online), but they were everywhere in the early days of the web.
I remember being very proud of how I extended his forum software to support threaded messaging and pagination.
https://web.archive.org/web/19990302022344/http://www.htmlgo...