Unless you run this over https it is insecure as the password goes over the wire in plaintext. You have a CGI object. It contains all the params. Why not just pass that to your validate and change functions? Typically I use the return null string if function succeeds or error string if it fails. This lets you avoid globals like your g_err_msg. Then the app logic goes:

if ( $q->param ) {
    my $err_msg = validate( $q );
    if ( $err_msg ) {
        show_form($err_msg);
    }
    else {
        my $msg = change_pass( $q );
        show_form( $msg );   # msg may be error or success message
    }
}
else {
    show_form();
}
exit 0;
[download]

I can't see how it might be exploited but is is usually wise to limit CGI user input to a selected range of characters. The null byte hack is one issue this attends to.