CVE-2024-38428: wget URL parser allows multiple @ characters in hostname causing hostname confusion

wget v1.24 URL parser has a vulnerability in url_skip_credentials() (src/url.c, lines 525-534) where it searches for the first occurrence of '@', '/', '?', '#', or ';' using strpbrk(). When a URL contains multiple '@' characters, the parser incorrectly skips only to the first '@', leaving subsequent '@' characters in the hostname. This allows URLs like http://user@attacker.com@victim.com/path to parse 'attacker.com@victim.com' as the hostname, enabling hostname confusion attacks where an attacker can craft URLs that confuse the parser or redirect connections while appearing to use a trusted domain.