I agree that there are security issues that need to be addressed here. One thing that I didn't see at that link that Joost mentioned here ('cause it's not really a CGI issue) is the use of system.

The OP is using the single-argument form, with part of that argument taken directly from the form input. Bad Idea. Use the multiple-argument form of system after validating the form input, that each variable contains only data that's expected:

system ("/var/www/perl/cgi_classification.pl", $outfile, $input_sequen
+ce, $name);
[download]

This line looks hairy, as well:

open OUTFILE, ">/var/www/data/$ARGV[0]" or die "cannot....";
[download]

I don't know whether $ARGV[0] is tainted, but I'd validate it before opening, anyway.

my $filename = $ARGV[0];
# Use whatever regex suits your needs. this is just an example.
if ($filename =~ /^([\w]+\.[\w]+)$/) { 
  $filename = $1;
  } else {
  # handle the error here
}
[download]

HTH

--

There are 10 kinds of people -- those that understand binary, and those that don't.