Arbitrary Password Reset Found in teacher/personal.jsp

[p0l42]

I found a arbitrary password reset in teacher/personal.jsp. When a user modify its information, here is not a check about who it is, and call update_teacher, update database columns just according to id user controlled. When a hacker modify uid to someone's uid, someone's information and password can be resetted as what hacker wants.