Support

 I was wondering if it’s a way to block ALL mailing function (Just the sending will be good) in Admin?

It wouldn't help to disable the Joomla! email process. Any email that goes through Joomla! - as they should - is properly vetted and not dangerous. The only time the exploit can be triggered is if an extension uses PHP Mailer directly and sends email through it. This is Nicholas' response from earlier today:

Our software is using the Joomla! mail API, following the Joomla! best practices. As noted in the security advisory in this case there is nothing to worry about.

Further to that please remember that the vulnerability only applies to a malicious, ill-formed e-mail sender address. As you are already aware Admin Tools is using your site's name and email from address, as configured in Joomla's Global Configuration, in all communications to you. In other words, we're doing what all Joomla components are supposed to do. Since this is properly filtered by the Joomla! mail API before use you do not run any risk.

Even if we didn't use the API properly ... you would STILL not be in any danger. You see, the Global Configuration is only modifiable by either Super Users or people with write access to your site. That is, changing these settings to exploit the PHPMailer vulnerability to compromise a site would require you to have already compromised the site. Therefore it'd be a case of "I can hack myself". We can't protect you from yourself or who you think are trusted administrators which have gone rogue.

The security advisory covers EXACTLY ONE CASE for third party components, where ALL of the following conditions are met:

• The extension uses PHPMailer directly, without going through the JMail API.
• The extension does NOT perform any filtering on the sender address.
• The extensions allows unprivileged users to specify the email sender address.

I am pasting the text from the Joomla! security advisory:

All versions of the third-party PHPMailer library distributed with Joomla! versions up to 3.6.5 are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.18 which will be included with Joomla! 3.7. After analysis, the JSST has determined that through correct use of the JMail class, there are additional validations in place which make executing this vulnerability impractical within the Joomla environment. As well, the vulnerability requires being able to pass user input to a message’s “from” address; all places in the core Joomla API which send mail use the sender address set in the global configuration and does not allow for user input to be set elsewhere. However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue.

The only software of ours using its own copy of PHPMailer is Akeeba Backup for WordPress and Akeeba Solo. Even there, the only place where it's used is to send emails when the backup is complete. Again, the From address can only be defined by the administrator or someone who has write access to the site's files. As I explained above this demotes this threat to a case of "I can hack myself" i.e. if you have already full access to a site you can "hack" it which is, of course, absolutely useless.

Well, Dale, I cannot thank You enough for that elaborated answer. This is exactly what I was searching for.

I Will have to really read your post a few time to register everything but This is solved for me!

You're welcome! But it's Nicholas, not me.