Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-20825

When a student has gone over-time it a quiz, it should be obvious to teachers in the UI

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.9.6
    • 2.3
    • Quiz
    • None
    • MySQL
    • MOODLE_19_STABLE
    • MOODLE_23_STABLE

    Description

      Recently i have found a pretty substantial bug in the way moodle handle's quizzes. I've found out that when you inject some javascript onto the quiz page, you can kill the countdown timer, allowing intentional fast 5 minuite timed quizzes to last an hour. And moodle doesn't really care! (Note this really only works if a person has a portable browser or control of their browser for the injecting to work). BTW, this was tested in "secure" quiz mode.

      To do this, you must have someway of injecting code into a webpage. This can be accomplised through Firebug, greasemonkey, or an unlocked address bar (forcing all popups to open in a new tab prevents the address bar from being locked). In greasemonkey, i did this:

      GM_registerMenuCommand('MoodleKill - Kill function',function() {
      main();
      });

      function main() {
      for(var i=0; i<500; i++)

      { window.clearTimeout(i); }

      document.getElementById('clock').innerHTML = "<b>UNLIMITED</b><br>Hacked by Lord.Quackstar"
      }

      If you have access to firebug or any other javascript debugger program, run this:
      for(var i=0; i<500; i++)

      {window.clearTimeout(i);}document.getElementById('clock').innerHTML = "<b>UNLIMITED</b><br>Hacked by Lord.Quackstar";

      If you can force all popups in new tabs, simply copy this into the address bar and press enter:
      javascript:for(var i=0; i<500; i++) {window.clearTimeout(i);}

      document.getElementById('clock').innerHTML = "<b>UNLIMITED</b><br>Hacked by Lord.Quackstar";void(0);

      Attached is screenshots of the result from 3 pages.

      Now what I'm wondering is why moodle doesn't notify anyone that someone has taken a 5 minute quiz in an hour! While moodle does have server side time checking, it doesn't do anything with the times. Right now the only way to find out this info is to manually scan each person's activity report regularly, a unfesable goal.

      EDIT: I didn't know this before (i don't actually run a moodle site), but you can view times by going to the results tab of the quiz. This still however rely's on the teacher manually checking the quiz, not an automated system warning them.

      For those of you thinking that no can really do this due to lack of knowledge, any student taking a web programming class that study's javascript knows how to run this (this is usually the type of class that would have a moodle website). This is a major threat to any people that use online quizzes in a programming class.

      BTW, unless there was a major rewrite from v1.8* to v1.9*, all versions are affected.

      Attachments

        Issue Links

          Activity

            People

              timhunt Tim Hunt
              lord.quackstar Leon
              Tim Hunt, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                25/Jun/12