What Was Matt Thinking?

Currently, I’m in the midst of writing a big post about the roots of web forums, but I hit on an aside weird enough that I decided to stop writing that and work on a separate post. Because I think it actually explains a lot about the way people use the internet.

Essentially, here’s the deal. Around 1995 or so, a high schooler named Matt Wright decided to launch a website that shared some basic website tools that he programmed. Many of these were dead-simple, things like contact forms, guestbooks, and web counters. One in particular, WWWBoard, became a massive hit, becoming one of the first widely used web forum apps on the internet.

The site Wright built, Matt’s Script Archive, unwittingly helped to highlight the divergence between how normal people think about software, and the developer’s perspective.

Wright, and others like him, hit upon an obvious need. Regular people found these scripts, ran them, and suddenly had forums, counters, and contact forms. They got the job done. But programmers who weren’t in high school and weren’t so wet behind the ears looked aghast at what Wright had done: He had spread poorly designed, but widely used software across the internet. This software was packed with security issues, but worst of all, it wasn’t really getting updated all that much.

How serious are the security issues? Well, a look at OpenCVE points out some very serious problems that range from bugs that emerged from massive exposure to some questionable design decisions. (Keeping an encrypted password file in the root? Making it possible to grab env variables via a URL? Not smart!)

One exploit in particular, affecting Wright’s textcounter tool, stands out among the list: CVE-1999-1479, with a score of 10.0 critical, effectively allows exploiters to execute code on the server as root.

This state of affairs got serious enough that a competing website, called nms, essentially was launched to replace Matt’s buggy scripts with drop-in versions aren’t full of security exploits from bad coding. Their POV:

The problem is that the scripts in Matt’s Script Archive aren’t very good. The scripts are well known amongst the Perl community to be badly written, buggy, and insecure. Anyone asking for support on Matt’s scripts in any forum will be told in no uncertain terms that they shouldn’t use his scripts.

Unfortunately for some time there were no replacements for Matt’s scripts that you would want people to use. In 2001, the London Perl Mongers decided to address this problem and write a series of drop-in replacements for Matt’s scripts. This project is the result.

That said, you shouldn’t use nms either, because it hasn’t been updated in about 20 years. What gives? After I wrote this, Dave Cross, who helped develop the nms tool, reached out and noted that while he still programs in Perl, the mechanisms we use to program and host websites have sharply diverged over the past 30 years. “The best practices in Perl web development moved on from CGI a long time ago,” he wrote in an email.

On top of all that, security practices have continued to evolve.

“The internet is a very different and far less trusting place these days,” Cross added. “One of the problems with FormMail, for example, is that it could be used to send spam. That hole was fixed but, today, things like SPF and DKIM would make it very hard to deliver email to its intended recipient.”

(Even if Cross actually wanted to update the nms scripts, he would be unable to—as he doesn’t have his SourceForge login anymore, nor does he really remember how Subversion works. But we’re not exactly lacking for alternatives, either.)

Matt’s scripts, the easy option, and the problem with overexposure

When so many people use something that it becomes part of the internet’s lingua franca, it’s inevitable exploits are going to emerge. There’s a reason WordPress and Windows each have reputations as bug-ridden, and it’s largely because of the number of eyes on the given tools.

With that in mind, I don’t think it’s fair to blame Wright for having bad code—after all, it wasn’t like he knew it was going to become a huge platform.

(For what it’s worth, Wright himself later recommended the nms scripts instead of his own, reminding folks he wrote his original scripts as a kid. “The code you find at Matt’s Script Archive is not representative of how even I would code these days,” he wrote on his site. “My interests and activities have moved on, however, and I just have not found the time to update all of my scripts.”)

I think there is a lesson for security teams, however, who are going to be stuck trying to work around people who grab the lowest hanging fruit.

The average person does not want to spend hours looking over every option under the sun to find something good. They just want it to work, and they may not necessarily think much about how to make it better.

That, of course, is why vibe coding is such a big thing nowadays. It hits on the very same tension that an easy-to-access script archive did. And just as with these scripts, you can look at vibe-coded apps as insecure dreck created by someone who didn’t know better, or you can look at them as a democratizing tool.

Problem is, they’re technically both. Can you appreciate one while appreciating the other? I have the answer, and it’s yes.

Matt’s scripts, remembered

Recently, I spotted an incredible project at the domain that once hosted Matt’s Script Archive. As of a year ago, worldwidemart.com was hosting spam gambling content of the kind that might give your computer a virus.

But that owner let the domain expire late last year. This turned out to be the best thing. Someone who really cared about the legacy of Matt’s Script Archive decided to buy the domain to build a new site explaining the legacy of what once existed there, and why those scripts, as broken as they are, matter.

The new site has the definite smell of vibe coding, but you know what? It’s also doing something incredibly important for the history of the internet. As you know, I’m the kind of guy that complains loudly when someone takes over a historically important website for less-than-stellar reasons. But I have looked through this page and I do not see any reason to complain—no under-the-radar sketchy “yeah, we did this to sell you something” drama. The page where I thought I would see that, a link located at /hosting/, is instead an explanation of how web hosting has changed in the past 30+ years.

Put another way, this website rules. If we’re going to revive domains into zombie websites, I’d rather it was a vibe-coded thing that explains why this was once historically relevant than something that a spammer doesn’t even want.

What was Matt thinking? He just wanted to be helpful. And that he was.

Updated 05/23/2026

Added more details about the nms scripts from Dave Cross, who helped build them a quarter-century ago. (Thanks for reaching out!)