That's true, although they could just as well do a dictionary attack on the main site.

True, but a stand alone program running on the local machine could do it a lot more effectively, and hide its behaviour more easily.

Which is why I don't intend to set the permissions badly. :)

Of course :-) But it is one more place where you're open to attack.

For example, this bit of mod_perl will intercept some future requests, but isn't possible under CGI:

++ sneaky