In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.