You are seeing the verbose messages from the unzip process in your web page because unzip is sending them to stdout, which is inherited from the caller's stdout. Stdout for a CGI script is the web page being generated, so if a CGI script starts a child process that emits output to stdout, that output will end up in the generated web page.

As wind and cdarke suggested, you should use a perl module to unzip the archive, or if you can't redirect the output from the unzip process to /dev/null. You could also capture the output with a piped open and either parse or discard it

Also, where does this zip archive come from? If it is uploaded by an untrusted user then have you considered the possibility of a Zip bomb?