use strict;
use warnings;
use CGI qw(:standard);
use CGI::Carp qw(fatalsToBrowser);
use File::Basename;

my $PATH = '/path/to/upload/not/in/cgi-bin/UPLOAD';

print header, start_html('not very safe uploader');

if (param('go')) {
   my $handle = upload('the_file');
   my $name   = param('the_file');
   open OUT, '>', "$PATH/$name" or die "can't open target $name: $!";
   print OUT while <$handle>;
}

my @file = map basename($_), <$PATH/*>;

print start_multipart_form(),
   p('upload:', filefield('the_file',undef,50,80)),
   p(submit('go')),
   end_form,
   hr,
   ul(li[ map a({href=>"/UPLOAD/$_"},$_), @file ]), # YMMV here
   hr,
   end_html,
;