Be very careful about validating that the server here is not public facing, or that the uploader is very well protected, or it could end up being a drop box for many items that are less than desirable.

It appears to be that the image uploader is dropping an image directly into the public_html directory for the user. If this public_html directory is available to the web, and the script that is allowing the upload is not protected well, it would be quite easy to use the user's image area for a dropbox for certain types of images, warez, and other content typically not acceptable to service providers (and perhaps the user).

Update: I also would (typically) not allow a mod_perl component to run in a user's context, unless the user is the sole process owner on that instance of Apache. mod_perl runs in the context of the server, and, if I remember correctly (I am certain that I will be corrected if I don't), is not able to be run as the user, the way that fCGI, CGI, PHP, and other script types can be. By loading a module under mod_perl from the user's directory, you are giving the user access to your entire Apache instance. The user is able to modify the module, and on the next server restart, will have the new code executing, or perhaps crashing the server.