There are a few things you need to do for any fileupload system to protect yourself. Luckily, if you look hard enough you will find that CGI supports them fairly well.

One, with any file creation done by a web script, you need to carefully deal with tempfile creation and filenames. Two, you need to limit the maximum upload size.

See these posts: File Upload Security Question; Security question; File Upload + recording "metadata"; How to limit upload file size?; and of course the now epic use CGI or die;.

--
$you = new YOU;
honk() if $you->love(perl)