The script takes plain text from forms input as a parameter and encrypts it using GnuPg then emails the result to us. So yes it would be nice if it were not public accessible from a browser.

Why? Why don't you do exactly that in the program that accepts the form input? Yo do not need a subprocess for encryption, and you don't need one to send out emails.

If the program that accepts the form input is implemented as bad as the code in your first posting in this thread, I would not be surprised at all to find a remote execution exploit based on something that might look like this:

# Don't EVER write code like this!
# Don't copy this crap!
# This is intentionally insecure code!
use CGI ();
my $q=CGI->new();
my $forminput=$q->param('some_field');
system("/www/user08154711/cgi-bin/crypt-and-mail-me.cgi '$forminput' &
+");
[download]

Alexander