I've seen too many web sites get confused configurations such that (at least for a while) they are shipping out their CGI source code instead of running their CGIs.

I usually protect against this by having the CGI (or mod_perl or whatever similar technology) scripts mostly just require other files that do the real work. And I place these other files outside of the web root directory.

I would move your common.pl so it is outside of the web root (that shouldn't be much work). It is more robust security to only place under the web root those things that you want accessible via the web.