print "Content-type: text/html\n\n";
print "<HTML> <HEAD>\n";
open("runmain","$commands{$PROGRAM} $TARGET_HOST |");
[download]

I pray that $commands{$PROGRAM} and $TARGET_HOST aren't based on user input, because otherwise you've built yourself a massive security hole, which I discuss here, including solutions.

The 2>&1 workaround requires the shell to work and therefore I would definitely not recommend it. Perl does give it a bit of special treatment to avoid the shell sometimes, but that only works e.g. as long as there aren't other shell metacharacters in the command string, and I would consider it an optimization rather than some kind of security feature.

In this case, if you don't mind waiting for the external command to finish before getting its results, I might suggest IPC::Run3. If you need the "live" output of the command, IPC::Run can provide this. Both of these modules support capturing STDERR as well. As I write in the first link above, IPC::Run doesn't explicitly say that it avoids the shell in the documentation, but looking at the code shows that it does. If you want to play it really safe, use one of the modules that explicitly state they avoid the shell, like IPC::Run3.

(As for perhaps wanting "live" output of the command showing up in the browser, which I am guessing you might want to do based on the traceroute example, writing that out to the browser with autoflush turned on is a pretty old-school way to do it, and it may not work at all e.g. in the presence of proxies. For a modern approach, see e.g. the code I posted here.)

Update: Added a few small clarifications.