Moodle
  1. Moodle
  2. MDL-16986

Quiz IP protection broken in Moodle 1.9.2.!

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.9.2
    • Fix Version/s: 1.7.7, 1.8.8, 1.9.4
    • Component/s: Quiz, Security Alert
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
    • Rank:
      24495

      Description

      Later studing logs I found a very worring issue: students can access IP-protected quizzes on our site from any computer! I try it myself under student login and found I can do this too. Also, Moodle will stop show the messages about IP-protection for the teachers if they used a computer outside valid range. This is a disaster to the security policy of our university!

      IP address range used on our quizzes: 172.16.1.143/148, 172.16.1.136/137, 172.16.1.98/126.
      Examples of addresses with student access from the logs: 85.172.119.4 or 213.234.0.194
      The role for student is a standart Moodle role, without any redefinition.

      I can e-mail you login and password to access to one of our courses with such quizzes with a student role if you can't reproduce the bug.

      Please fix this with all possible speed. I already detected about 10 student's attempts to access protected quizzes (and save it's contents with feedback, they don't even bother to try to answer the questions).

        Activity

        Hide
        Tim Hunt added a comment -

        Moodle is working here, the problem is with your settings. I think you mean 172.16.1.143-148, 172.16.1.136-137, 172.16.1.98-126
        I suppose the help file could be better, since it uses the jargon CIDR notation - explanation here http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_blocks, however that is a standard notation for blocks of IP addresses.

        Show
        Tim Hunt added a comment - Moodle is working here, the problem is with your settings. I think you mean 172.16.1.143-148, 172.16.1.136-137, 172.16.1.98-126 I suppose the help file could be better, since it uses the jargon CIDR notation - explanation here http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_blocks , however that is a standard notation for blocks of IP addresses.
        Hide
        Tim Hunt added a comment -

        However, I suppose that when the number after the / is greater than 32 (and therefore broken) we should treat it as 32, so the system fails on the side of blocking access rather than allowing anyone in.

        Show
        Tim Hunt added a comment - However, I suppose that when the number after the / is greater than 32 (and therefore broken) we should treat it as 32, so the system fails on the side of blocking access rather than allowing anyone in.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: