Deploying and tinkering with Matt's scripts was a very formative exercise in my early teenage years. I rememher offering public FormMail and guestbook hosting services (on underlying10MB shared hosting plans!)
There should be a historic websites society, like the historic places societies we have that preserve and mark certain areas with information about them.
This takes me back. In the 90s there wasn't exactly a lot of web app programming going on, and it was hard to find a web host willing to let you run scripts through CGI. This was my first introduction to perl and the idea of dynamically building web pages. I adapted WWWBoard into a web chat that was "real time" using html refresh tags. Really inspired the rest of my career. Was for lots of people.
Not sure how I feel about the author trying to use Matt's Script Archive's bugginess and popularity to make a point about vulnerabilities and vibe coding. The web was simply just a very different place back then. Even viruses were more about hackers showing off their skills than the industral malware complex we have today. Bots weren't scanning the whole web for wp-admin.php. No one was really entering credit cards on web pages. If your site got hacked, it got graffiti'd and it was embarrassing, but no one used it to hawk bitcoin.
Likening vibe apps to WWWBoard is simply ignoring the climate and times each are a part of.
I remember Matt’s Scripts Archive as an absolute gold mine for learning how to make web applications through example in the pre-PHP days, which was pretty challenging when all you had to work with is CGI and maybe SSI if your hosting provider was particularly advanced. It’s what got me started as a web application developer 30+ years ago. I guess I probably learned about security the hard way by following his examples. But it got me headed broadly in the right direction I think.
I remember being very proud of how I extended his forum software to support threaded messaging and pagination.
Working for an ISP in the mid 00s, the lack of security of those scripts was an absolute nightmare. It was a routine task to have to go clean up the mess they made, everything from simple "Being used to relay spam" on up.
That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.
I totally remember this site...there were a bunch of themed collection sites of various scripts back then. I'd definitely say this is on the same timeline as dockerhub, npm.org and pypi or at that time, cpan (which still exists of course).
Not sure how I feel about the author trying to use Matt's Script Archive's bugginess and popularity to make a point about vulnerabilities and vibe coding. The web was simply just a very different place back then. Even viruses were more about hackers showing off their skills than the industral malware complex we have today. Bots weren't scanning the whole web for wp-admin.php. No one was really entering credit cards on web pages. If your site got hacked, it got graffiti'd and it was embarrassing, but no one used it to hawk bitcoin.
Likening vibe apps to WWWBoard is simply ignoring the climate and times each are a part of.
I remember being very proud of how I extended his forum software to support threaded messaging and pagination.
I think my all-time favorite was an SMTP injection. I don't remember the exact details, but it was pretty close to this:
* The script accepted a form POST and decoded it.
* It opened a pipe to sendmail.
* It wrote the expected SMTP headers to sendmail's stdin.
* Then it wrote the decoded POST body as-is into sendmail's stdin.
Thing is, that method used in-band signaling. This is the part I forget exactly, but you could send in the POST body:
That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.We learned that one the fun way.