Assuming your web server is configured correctly, it should execute all CGIs when it receives a request for one of them. That is, if the requested file is in a specified directory (/cgi-bin) or has a specified extension (.pl, .shtml, .cgi), the server will execute the file and pass the results to the browser.

Since the web server does this for all HTTP requests, telnetting in or using a homebrew web client should not give anyone access to the script source -- assuming that your server is configured correctly.

For non-HTTP requests (such as FTP or telnet to any port besides the one on which the server listens), you'll have to deal with system security, as in read permissions, chroot, and all the other good stuff. Then again, if someone finds an FTP or telnet or non-HTTP exploit, he's likely to look other places before your script directories.