Arbitrary Password Reset Found in student/personal.jsp

[p0l42]

I found a arbitrary password reset in student/personal.jsp. When a user modify its information, here is not a check about who it is, and calls update_student_security, updates database columns just according to id user controlled. When a hacker modify uid to someone's uid, someone's information and password can be resetted as what hacker wants. Following images are the information not modified, and I login as 20162430635. I modify the id to 20162430636, and send the package, user-36's information is modified.