Can't help much with your problem, but the following concerns me:

# html form value
<INPUT TYPE="RADIO" NAME="efile" VALUE="ban_account.txt">
# filename taken from the above form value, used in 
# an open for read, later, perhaps, in an open for writing
$file = $INPUT{'efile'};
...
open (DAT,"<$path/data/$file");
[download]

Youch. I do see a check for a password, but you are letting anyone with the password read and write files as whatever user your httpd runs as.

Consider if someone passes "../../../usr/local/whatever" in the 'efile' form parameter. You may want to take a look at the security of this script.