#!C:/perl/bin/perl.exe -wT
use strict;
use CGI;

# Do not run this script on a server connected to the 'Net
# It is supplied as a bad example

my $cgi  = CGI->new();
my $file = $cgi->param( 'file' );

# Bad taint checking!
# This is, amongst other things, a deliberately incomplete list
# of shell metacharacters
my $data = $1 if $file =~ m#([^./\\`$"'&]+\.?[^./\\`$"'&]+)$#;

$data .= '.dat';
my $userInfo;

open FILE, "<$data" or die "Cannot open $data: $!\n";
{
    local $/;
    $userInfo = <FILE>;
}
close FILE;

print $cgi->header,
      $cgi->start_html,
      $cgi->pre( $userInfo ),
      $cgi->end_html;

##</code><code>##

http://localhost/cgi-bin/insecure.cgi?file=insecure.cgi%00loser!