Your script is pretty easy to follow. It does the job. However, there are a few things that could be tweaked

You might put my $localfile at the top of the script. It will be easier to find there when you move the script to another host. Generally it is best to put constants like this at the top of the script.

You might run in taint mode (put -T on the shbang line)

You allow some nasty chars in the user supplied filename. Evil can be done to you with more than semicolons. Better to use the regex's in perldoc perlsec to ban everything except what you explicitly allow.

Having your images directory world writable, is a bit risky. For one thing other users on your server will be able to clobber things.

If it is not set globally, you might also look at $CGI::POST_MAX

Hope this is helpful