For nearly a decade, the URL http://www.worldwidemart.com/scripts/ was one of the most visited addresses on the World Wide Web. It was the home of Matt's Script Archive (MSA) — a collection of free Perl CGI scripts that gave millions of webmasters their first taste of server-side interactivity. This is the full story of how a teenager's hobby project became essential infrastructure for the early web, weathered a security crisis, inspired a community response, and ultimately faded as the web moved on.
The story of Matt's Script Archive begins not with Matt Wright himself, but with a hosting company in Naples, Florida. World Wide Mart, Inc. was founded by Dave Jackson in 1994, during the earliest days of commercial web hosting. The company operated the domain worldwidemart.com and offered web hosting services to businesses and individuals who wanted a presence on the nascent World Wide Web. In 1994, the total number of websites in existence was still measured in the tens of thousands. Netscape Navigator had just been released. The HTML specification was at version 2.0, and most web pages consisted of text, hyperlinks, and the occasional inline image.
It was in this environment that Matt Wright, a teenager from Fort Collins, Colorado, began writing Perl scripts for the web. Matt was 14 years old in 1995 and had taught himself Perl by studying the language's documentation, experimenting on Unix systems, and reading the nascent online tutorials that existed at the time. Perl was the dominant language for server-side web programming — its text-processing strengths and the CGI.pm module made it a natural fit for handling HTML form data and generating dynamic pages.
Matt's arrangement with World Wide Mart was straightforward: the company provided server space and a URL, and Matt wrote scripts that he distributed freely to the public. The scripts were made available at http://www.worldwidemart.com/scripts/, and Matt's contact email was [email protected]. There was no formal business arrangement publicly documented — it was simply a teenager sharing his work through a hosting company's generosity.
The first scripts appeared in 1995. Among the earliest were:
These three scripts addressed the three most common requests from webmasters of the era: Let visitors leave messages. Let visitors contact me. Let me see how many visitors I have. The scripts were distributed as .pl files with accompanying readme documents explaining installation. A webmaster would download the script, upload it to their server's cgi-bin directory, set file permissions to 755, edit a few configuration variables at the top of the script, and the feature would work. No compilation. No database. No framework. Just a Perl file, a web server with CGI support, and five minutes of configuration.
By 1996, the web was growing at an extraordinary pace. The Apache HTTP Server had become the dominant web server software. Perl 5, released in 1994, had matured significantly, and its module ecosystem (accessible via CPAN) was expanding rapidly. Shared web hosting had become affordable — companies like GeoCities (founded 1994), Tripod (1995), and Angelfire (1996) offered free or inexpensive hosting with CGI support. Millions of people were creating personal websites for the first time.
These new webmasters had HTML knowledge but little or no programming experience. They could build pages with text, images, and links, but anything interactive — forms, counters, guestbooks, forums — required server-side code. The learning curve for Perl CGI programming was steep, and most people simply wanted a working script they could install and forget about. Matt's Script Archive filled this gap perfectly.
The archive grew steadily during this period. Matt added new scripts and updated existing ones. By 1997, the collection included:
FormMail v1.6 was released on May 2, 1997. This was the last version of FormMail that Matt Wright would release under the original worldwidemart.com distribution for several years. Version 1.6 introduced configurable redirect URLs, improved error handling, and better formatting of the email output. It was this version that spread across the web and became, by many accounts, the single most widely installed CGI script in history.
The popularity of MSA during this period was driven by a self-reinforcing cycle: webmasters installed the scripts, their visitors saw the "Powered by Matt's Script Archive" credits, visited worldwidemart.com/scripts/ to download the same scripts for their own sites, and the cycle repeated. The scripts were also recommended in countless "how to build a website" tutorials, listed in web development directories like the DMOZ Open Directory Project, and referenced in early web development books.
By the end of 1997, the archive comprised 14 Perl scripts and 2 C++ programs. The C++ programs — an Animation tool and a Credit Card Verifier — never achieved the same popularity as the Perl scripts, largely because they required compilation on the server, which most shared hosting providers did not allow.
The late 1990s represented the absolute peak of Matt's Script Archive's influence. The web was experiencing explosive growth fueled by the dot-com boom, and the demand for interactive website features had never been higher. Estimates from the period suggest that FormMail alone was downloaded over 2 million times from the archive — and this figure does not account for the countless copies redistributed through hosting control panels, web development tutorials, and CD-ROM collections of "essential web tools" that were common at the time.
During this period, Matt's scripts were referenced in several published books, including titles from O'Reilly Media, the dominant publisher of technical books for web developers. The scripts appeared in discussions of CGI programming, Perl web development, and practical website building. For many readers, the scripts served as both working tools and learning materials — the source code was well-commented and provided concrete examples of how to process form data, read and write files, parse HTTP headers, and generate dynamic HTML.
The free hosting platforms of the era amplified the scripts' reach enormously. GeoCities, which was acquired by Yahoo! in 1999 for $3.57 billion, hosted millions of personal websites. A significant percentage of these sites used Matt's scripts for their guestbooks, counters, and contact forms. Angelfire and Tripod similarly hosted vast numbers of personal websites that relied on MSA scripts. The scripts were so ubiquitous that encountering a guestbook or contact form on a personal website in 1999 that wasn't powered by Matt's scripts was notable.
WWWBoard v2.0 Alpha 2.1 was released on January 7, 2000. This was an ambitious rewrite of the original forum script, incorporating features like administrative controls, IP logging, and improved thread navigation. The "Alpha" designation reflected the fact that Matt considered the script still in development, but many webmasters deployed it in production regardless.
By 2000, the archive had also accumulated additional scripts:
Around this time, Matt Wright began transitioning the archive to its own dedicated domain. ScriptArchive.com was registered and became the primary distribution point for new versions and updates. The worldwidemart.com/scripts/ URL continued to function but increasingly redirected to or referenced the new domain. The name "Matt's Script Archive" was already so well established that the domain change had little impact on the archive's visibility or traffic.
The enormous installed base of Matt's scripts made them an attractive target for exploitation, and by 2001, serious security vulnerabilities in several scripts — most critically FormMail — had become a significant problem for the web.
The core issue with FormMail was that it could be used as an open email relay. FormMail was designed to accept form data via HTTP POST and send it as an email to a recipient address specified in the form's hidden fields. The script included a @referers configuration variable that was supposed to restrict which websites could use the script, but this check relied on the HTTP Referer header, which could be trivially spoofed or omitted entirely. Spammers discovered that they could send crafted HTTP requests directly to any publicly accessible FormMail installation and use it to send email to arbitrary addresses — effectively turning every website running FormMail into an unwitting spam relay.
The vulnerability was formally catalogued as CVE-2001-0357 — "FormMail.pl allows remote attackers to send anonymous email (spam) by modifying the recipient and message parameters." A second vulnerability, CVE-2002-0564, documented a path disclosure issue that revealed server filesystem information.
The scale of the problem was staggering. Because FormMail had been downloaded millions of times and installed on an enormous number of servers, spammers had access to a vast network of open relays. SecurityFocus reported that FormMail was the #3 most attacked script on the internet in Q1 2002, behind only the OpenSSL vulnerability and the Microsoft IIS Unicode exploit. The SANS Internet Storm Center documented waves of automated scanning for FormMail installations.
The problem was compounded by the nature of FormMail's user base. Most FormMail installations were on shared hosting accounts run by non-technical webmasters who had installed the script years earlier and had no awareness of the security issue. Many installations were running version 1.6 from 1997, unpatched and unmaintained. Hosting providers began receiving abuse complaints about spam originating from their servers, and some responded by disabling CGI entirely for shared hosting customers.
Matt Wright acknowledged the vulnerability and updated FormMail with improved input validation, stricter referer checking, and a configurable list of allowed recipient addresses. However, the updated version could only help webmasters who actively downloaded and installed the patch. The millions of existing installations remained vulnerable, and the spammers continued to exploit them.
The security crisis did significant damage to the reputation of both FormMail and Matt's Script Archive as a whole. In Perl community forums and web development discussion boards, the scripts became shorthand for insecure CGI code. PerlMonks threads from this era are filled with warnings against using Matt's scripts, sometimes accompanied by detailed analyses of their security weaknesses — not just in FormMail but in WWWBoard (which had its own cross-site scripting and file overwrite vulnerabilities), Guestbook (spam injection), and others.
It is worth noting that the security standards of the late 1990s were fundamentally different from those that prevailed after the security awakening of 2001–2003. Matt's scripts were written in an era when input validation, taint checking, and defensive programming were not standard practice in web development. The scripts were intended for a web that was smaller, more trusting, and far less hostile than the web of the early 2000s. The vulnerabilities were real and serious, but they reflected the norms of their time rather than unusual negligence.
The security problems with Matt's scripts inspired one of the more interesting community responses in Perl's history. In 2002, the London Perl Mongers — a user group of professional Perl developers — launched the NMS Project, short for "Not Matt's Scripts." The project's goal was to create secure, drop-in replacements for every script in Matt's archive.
The NMS replacements were designed to be configuration-compatible with Matt's originals: a webmaster could download the NMS version of FormMail, copy their existing configuration variables into the new script, upload it to their server, and have a secure replacement working without changing any of their HTML forms. This was a critical design decision. The London Perl Mongers understood that the people running Matt's scripts were not programmers — they were webmasters who needed the simplest possible upgrade path.
The NMS scripts were hosted at nms-cgi.sourceforge.net and included replacements for FormMail, Guestbook, WWWBoard, Free For All Links, and other MSA scripts. Each NMS script incorporated:
-T) — Perl's built-in security feature that prevents untrusted user input from being used in dangerous operations (file access, system calls, etc.) without explicit validation.use strict) — enforcing variable declaration and catching common programming errors at compile time.Matt Wright publicly endorsed the NMS Project. In May 2002, he added a notice to ScriptArchive.com stating: "I would highly recommend downloading the nms versions of the scripts if you are looking for scripts to run on your site." This was a notable act of humility — the creator of the scripts was directing his own audience to replacements written by other people because those replacements were more secure than his own work.
The NMS Project was widely praised in the Perl community and became the standard recommendation for anyone asking about CGI form processing on PerlMonks, comp.lang.perl.misc, and other Perl forums. It also served as an educational resource — the NMS source code demonstrated best practices for secure Perl CGI programming and was referenced in tutorials and talks about web application security.
The mid-2000s brought fundamental changes to web development that rendered the entire category of "downloadable CGI scripts" increasingly obsolete. Several parallel trends converged to make Matt's Script Archive, and the ecosystem it represented, irrelevant to the new generation of web developers.
PHP surpassed Perl as the dominant language for web development. PHP's advantage was primarily in ease of deployment — PHP code could be embedded directly in HTML files and executed by the web server's built-in PHP module, without the CGI overhead of launching a separate process for each request. PHP's lower barrier to entry attracted a massive community of developers and an enormous ecosystem of applications built in the language. By 2004, PHP powered the majority of dynamic websites.
Content management systems replaced individual scripts. WordPress 1.0 was released in January 2004. By 2005, WordPress and other CMS platforms (Joomla, Drupal, Movable Type) had made it possible for non-programmers to create feature-rich websites without installing individual scripts for each piece of functionality. A WordPress installation included contact forms, comments (replacing guestbooks), search, user management, and dozens of other features that would have previously required separate CGI scripts. The concept of downloading a single-purpose Perl script to add one feature to a static HTML site became archaic.
Hosted services eliminated self-hosting. Services like Google Analytics (2005) made hit counters irrelevant. Hosted form services like Wufoo (2006) and later Google Forms provided form processing without any server-side code. Blog platforms with built-in comments replaced guestbooks. Web-based forum services replaced self-hosted forum scripts. The trend was unmistakable: functionality that had previously required server-side scripts was moving to hosted, managed services.
Shared hosting providers restricted CGI. In response to the ongoing security issues with CGI scripts (not just Matt's, but the category as a whole), many hosting providers disabled CGI by default, removed Perl from shared hosting environments, or restricted script execution to approved software. The cgi-bin directory, once a standard feature of every shared hosting account, was becoming a relic.
Matt Wright adapted to these changes by launching FormMail.com, a hosted SaaS service that provided form processing without requiring webmasters to install or maintain any server-side code. FormMail.com offered the same core functionality as the original FormMail.pl script — accept HTML form submissions and deliver them as email — but as a cloud service with built-in spam filtering, SSL support, and a web-based administration panel. The service operated on a freemium model with paid plans for higher volume usage.
Development on ScriptArchive.com continued at a diminishing pace. Matt released updated versions of several scripts incorporating security fixes and feature improvements. The last significant update was FormMail v1.93, released on July 14, 2009. This version included CAPTCHA support, improved anti-spam measures, and compatibility updates for newer versions of Perl. Other scripts received occasional updates as well — Guestbook reached version 2.3.2 and WWWBoard reached version 2.0 Alpha 2.1.
In various forum posts and interviews from this period, Matt Wright indicated that his interests had moved beyond CGI script development. The web had evolved, and the tools that had defined the late 1990s were no longer needed in their original form. The transition from script distributor to SaaS provider — from FormMail.pl to FormMail.com — mirrored a broader industry trend that would later be called "software as a service."
After July 2009, ScriptArchive.com received no further updates. The site remained online as a static archive, its scripts still downloadable but no longer actively maintained. The "Last Modified" dates in the script headers became permanent timestamps marking the end of an era.
FormMail.com continued to operate as a commercial service. As of 2025, the service maintained approximately 1,000 paying customers — a small but sustainable user base consisting primarily of businesses and organizations running legacy websites that still relied on HTML forms for data collection. FormMail.com represented the last active commercial descendant of the original Matt's Script Archive.
The cultural legacy of MSA proved more durable than its technical legacy. Matt's scripts occupy a unique position in web development history: they were simultaneously the most widely used and the most widely criticized free software of the 1990s web. They democratized web interactivity by making it accessible to non-programmers, and they simultaneously demonstrated the dangers of security-unaware software achieving massive distribution.
Matt's Script Archive has its own Wikipedia article, which catalogues the scripts, the security controversies, and the NMS Project response. The article has survived multiple deletion debates — a testament to the archive's historical significance in the Wikipedia community's assessment.
Periodic waves of nostalgia bring MSA back into public discussion. In March 2025, a thread about Matt's Script Archive reached the front page of Hacker News, generating hundreds of comments from developers reminiscing about their experiences with the scripts. The thread's tone was overwhelmingly nostalgic, with commenters sharing stories of their first CGI installations, the thrill of seeing a guestbook entry appear on their website, and the formative role the scripts played in their development careers. One highly upvoted comment described MSA as "a key, if not THE key, in growing the interactive web" — a sentiment that captured the consensus view.
Other commenters noted the irony that many of the problems Matt's scripts were criticized for — insufficient input validation, trust in client-supplied data, lack of authentication — continued to appear in web applications decades later, in different languages and frameworks. The security lessons of FormMail were not unique to Perl or to the 1990s; they were fundamental lessons about web application security that each generation of developers has had to relearn.
The worldwidemart.com domain itself — the original home of the scripts — has been preserved as an archival resource. The scripts section of this site maintains documentation, code listings, and historical context for the original collection. It serves as a reference for web historians, researchers studying the evolution of open-source software distribution, and anyone curious about the tools that built the interactive web before the era of frameworks and platforms.
Matt's Script Archive ultimately comprised 16 programs: 14 Perl scripts and 2 C++ programs. The following table lists every script in the archive with its final version number, original release date (where known), and last update date.
| Script | Language | Final Version | Last Updated | Description |
|---|---|---|---|---|
| FormMail | Perl | 1.93 | July 14, 2009 | HTML form-to-email processor. The most downloaded CGI script in history, with over 2 million downloads. |
| Guestbook | Perl | 2.3.2 | April 14, 2002 | Visitor sign-in system with name, email, URL, and message fields. Stored entries as HTML files. |
| WWWBoard | Perl | 2.0 Alpha 2.1 | January 7, 2000 | Threaded discussion forum using flat HTML files for storage. No database required. |
| Counter | Perl | 4.0 | August 3, 1998 | Graphical hit counter displaying page visits with customizable digit images. |
| TextCounter | Perl | unknown | c. 1997 | Text-based page visit counter. Lighter alternative to the graphical counter. |
| Simple Search | Perl | unknown | c. 1998 | Full-text search engine for static HTML pages and text files on the server. |
| Random Link | Perl | unknown | c. 1997 | Redirected visitors to a randomly selected URL from a configured list. |
| TextClock | Perl | unknown | c. 1997 | Displayed current server time on a web page with configurable time zones. |
| Countdown | Perl | unknown | c. 1997 | Countdown timer to a specified date and time. |
| Cookie Library | Perl | unknown | c. 1997 | Perl library for managing HTTP cookies in CGI scripts. |
| Free For All Links | Perl | unknown | c. 1997 | User-submitted link directory. Visitors could add their own website URLs. |
| Random Image Displayer | Perl | unknown | c. 1998 | Displayed a randomly selected image from a server directory. |
| SSI Random Image | Perl | unknown | c. 1998 | Server Side Includes variant of the random image script. |
| Random Text | Perl | unknown | c. 1998 | Inserted a randomly selected text snippet into a page. |
| Mailing List | Perl | unknown | c. 1998 | Email list manager for subscriber management and bulk messaging. |
| Animation | C++ | unknown | c. 1997 | Server-push animation program. Required compilation on the server. |
In addition to these primary scripts, the archive included utility scripts, configuration examples, and demonstration pages. The full scripts directory on this site preserves documentation and code listings for each program in the collection.
| Date | Event |
|---|---|
| 1994 | World Wide Mart, Inc. founded by Dave Jackson in Naples, Florida. |
| 1995 | Matt Wright begins distributing Perl CGI scripts at worldwidemart.com/scripts/. |
| Oct 29, 1995 | Guestbook v2.3.1 released — one of the earliest dated scripts in the archive. |
| May 2, 1997 | FormMail v1.6 released — the version that achieved mass adoption. |
| Aug 3, 1998 | Counter v4.0 released. |
| Jan 7, 2000 | WWWBoard v2.0 Alpha 2.1 released. |
| c. 2000 | Matt Wright registers scriptarchive.com and begins transitioning the archive to the new domain. |
| 2001 | CVE-2001-0357 published — FormMail identified as an open email relay exploited by spammers. |
| Q1 2002 | SecurityFocus ranks FormMail as #3 in Top Attacks for the quarter. |
| 2002 | CVE-2002-0564 published — path disclosure vulnerability in FormMail. |
| 2002 | London Perl Mongers launch the NMS Project (nms-cgi.sourceforge.net) with secure drop-in replacements. |
| May 2002 | Matt Wright publicly endorses NMS: "I would highly recommend downloading the nms versions." |
| Apr 14, 2002 | Guestbook v2.3.2 released — the final version. |
| Jan 2004 | WordPress 1.0 released, beginning the CMS era that would make single-purpose CGI scripts obsolete. |
| c. 2005 | Matt Wright launches FormMail.com, a hosted SaaS form processing service. |
| Nov 2005 | Google Analytics launched, effectively ending the era of CGI hit counters. |
| Jul 14, 2009 | FormMail v1.93 released on scriptarchive.com — the last significant update to any MSA script. |
| Mar 2025 | Matt's Script Archive reaches the front page of Hacker News, triggering a wave of developer nostalgia. |
Matt's Script Archive occupies a unique and somewhat paradoxical position in web development history. It was simultaneously one of the most important and one of the most problematic collections of free software ever distributed on the web.
On the positive side, MSA democratized web interactivity at a critical moment in the web's growth. In the mid-1990s, adding any kind of dynamic functionality to a website required programming knowledge that the vast majority of webmasters did not possess. By providing free, easy-to-install scripts with clear documentation, Matt Wright enabled millions of people to create interactive websites that would have otherwise been static pages. This contribution was particularly significant because it occurred during the web's most rapid period of growth — the period when the web was transitioning from an academic and technical tool to a mass medium.
The scripts also served as educational material for an entire generation of web developers. Many programmers who went on to professional careers in web development have cited Matt's scripts as their first exposure to server-side code. Reading the source code of FormMail or Guestbook — seeing how HTTP headers were parsed, how form data was processed, how files were read and written — was an entry point into understanding how the web actually worked beneath the surface of HTML pages.
On the negative side, the security vulnerabilities in the scripts caused real and measurable harm. The FormMail open relay vulnerability was responsible for an unknown but certainly enormous volume of spam email. The exploitation of FormMail installations imposed costs on hosting providers (who had to deal with abuse complaints), on email recipients (who received spam), and on the webmasters themselves (whose accounts were sometimes suspended due to spam originating from their servers). The episode demonstrated the risks of widely distributing software that was written without security as a design priority.
The MSA story also illustrates a pattern that has recurred throughout software history: software that is easy to install and "just works" will achieve massive adoption regardless of its technical quality. Matt's scripts were not the best-written Perl of their era. Experienced Perl developers recognized this even in the 1990s. But they were the most accessible, the best-documented (for their target audience), and the easiest to install. Technical excellence and mass adoption do not always correlate, and Matt's Script Archive is one of the clearest examples of this principle in web development history.
The NMS Project response demonstrated another recurring pattern: community-driven quality improvement. When widely used software has problems, technically skilled community members often step in to create improved alternatives. The NMS approach of maintaining configuration compatibility while rewriting the internals was elegant and effective, and it foreshadowed similar community responses to insecure popular software in later years.
Finally, MSA represents a lost model of software distribution. The idea of a single developer writing small, self-contained programs and distributing them freely through a personal website is essentially extinct in modern web development. Today's equivalent functionality is delivered through npm packages, WordPress plugins, SaaS APIs, and cloud services. The era of downloading a .pl file, editing a few variables, uploading it to your cgi-bin, and having a working feature is over. Whether this represents progress or loss — or both — depends on one's perspective. But it is undeniable that the web Matt's scripts helped build was a different kind of web: more personal, more hands-on, and more forgiving of imperfection.