Security issues Hostname spoofing & Open Redirect

[ready-research]

@lpinca @3rd-Eden I have reported a security issue in huntr
https://www.huntr.dev/bounties/1625557993985-unshiftio/url-parse/
There are 2 attack scenarios possible for Open Redirect and Hostname Spoofing(Please take a look at the last comment)

Please validate and let us know your opinion on this. Thank you.

[lpinca]

I logged in but I can't read the report.

[JamieSlome]

@zidingz - just attaching you here for your reference.

[zidingz]

Hey @lpinca You should be able to have access to the report now. Let me know if issues persist ❤️

[lpinca]

Yes, it works now. Thanks. I've also pinged Arnout (@3rd-Eden) on Twitter.

[akazemier-godaddy]

I don't have access to the report either, but seems the same issue as reported previously on H1 about slash escaping. See SECURITY.md for ref.

[3rd-Eden]

FML, that was my work account 😂 ANYWAYS, I can't access it on this account 😂

[ready-research]

@zidingz can you please help on this one.
@3rd-Eden 2nd issue hostname spoofing is completely different from that H1 report. And 1st one too

[zidingz]

@3rd-Eden You should also have access now!

[lpinca]

@zidingz now I can no longer read the report :) Can we both have access or is it limited to only one maintainer?

[3rd-Eden]

I still can't access it either.

[zidingz]

@lpinca @3rd-Eden Apologies, fixed now!

Let me know if either of you still can't view. Will be on call here until you're all set.

[3rd-Eden]

✅ Access is working here.