Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-20825

When a student has gone over-time it a quiz, it should be obvious to teachers in the UI

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.3
    • 1.9.6
    • Quiz
    • None
    • MySQL
    • MOODLE_19_STABLE
    • MOODLE_23_STABLE

      Recently i have found a pretty substantial bug in the way moodle handle's quizzes. I've found out that when you inject some javascript onto the quiz page, you can kill the countdown timer, allowing intentional fast 5 minuite timed quizzes to last an hour. And moodle doesn't really care! (Note this really only works if a person has a portable browser or control of their browser for the injecting to work). BTW, this was tested in "secure" quiz mode.

      To do this, you must have someway of injecting code into a webpage. This can be accomplised through Firebug, greasemonkey, or an unlocked address bar (forcing all popups to open in a new tab prevents the address bar from being locked). In greasemonkey, i did this:

      GM_registerMenuCommand('MoodleKill - Kill function',function() {
      main();
      });

      function main() {
      for(var i=0; i<500; i++)

      { window.clearTimeout(i); }

      document.getElementById('clock').innerHTML = "<b>UNLIMITED</b><br>Hacked by Lord.Quackstar"
      }

      If you have access to firebug or any other javascript debugger program, run this:
      for(var i=0; i<500; i++)

      {window.clearTimeout(i);}document.getElementById('clock').innerHTML = "<b>UNLIMITED</b><br>Hacked by Lord.Quackstar";

      If you can force all popups in new tabs, simply copy this into the address bar and press enter:
      javascript:for(var i=0; i<500; i++) {window.clearTimeout(i);}

      document.getElementById('clock').innerHTML = "<b>UNLIMITED</b><br>Hacked by Lord.Quackstar";void(0);

      Attached is screenshots of the result from 3 pages.

      Now what I'm wondering is why moodle doesn't notify anyone that someone has taken a 5 minute quiz in an hour! While moodle does have server side time checking, it doesn't do anything with the times. Right now the only way to find out this info is to manually scan each person's activity report regularly, a unfesable goal.

      EDIT: I didn't know this before (i don't actually run a moodle site), but you can view times by going to the results tab of the quiz. This still however rely's on the teacher manually checking the quiz, not an automated system warning them.

      For those of you thinking that no can really do this due to lack of knowledge, any student taking a web programming class that study's javascript knows how to run this (this is usually the type of class that would have a moodle website). This is a major threat to any people that use online quizzes in a programming class.

      BTW, unless there was a major rewrite from v1.8* to v1.9*, all versions are affected.

            timhunt Tim Hunt
            lord.quackstar Leon
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.