SSRF vulnerability in favicon servlet

As reported by Shvetsov Alexander (Positive Technologies):

An application is vulnerable to Server Side Request Forgery if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways. SSRF allows attackers to target the server infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. 

An attacker can force Openfire application to send GET HTTP requests on any host and port with any GET arguments. It is possible to read response from these requests. There is an example of malicious link below:

http://localhost:9090/getFavicon?host=192.168.176.146:8080/?

Vulnerability can be used for:

1. Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.

2. Exploiting vulnerable programs running on the Intranet or on the local web server

3. Fingerprinting intranet web applications using standard application default files & behavior

4. Attacking internal/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.)