Support

General information

The security issue only affects developers who bypass Joomla's mail interface (JMail) and use PHPmailer directly, either the copy shipped with Joomla or, more typically, a copy they bundle with their software; or developers who pass a custom sender (From) e-mail address to JMail. In both cases the attack is only possible IF, AND ONLY IF, the sender (From) e-mail address originates from an untrusted source, i.e. unvalidated, unfiltered user input coming from unprivileged, untrusted users.

When you use Joomla's default e-mail API (JMail) the mail sender address is stored in the site's Global Configuration (configuration.php) which means that only a Super User or someone with full filesystem access to your site can modify it.

Joomla itself is NOT vulnerable and developers are required to validate and filter the input data to their own software. In fact, Joomla provides a very robust email address validator which, if used on data entry, will prevent entering the kind of data required to exploit this vulnerability in PHPmailer. Therefore, if the developers use core Joomla correctly their software will be immune to this issue, just like Joomla. That's why Joomla is not releasing an update.

In the light of this information let's address your concerns:

- Setting websites to send via SMTP instead of PHP mail would get us safe or not.

No. The mail delivery gateway is irrelevant as it'd come into play long, LONG, REALLY LONG after the attack vector (parsing of the From headers preparing an email for sending) runs.

- Trying to manually update the Joomla core library may be of some use.

Joomla is immune to this attack by the nature of its mail API (JMail) as we discussed above.

Only extensions which set the sender (From) address of the email field to unfiltered, unvalidated data originating from unprivileged users are affected. Due to e-mail security features like SPF and DKIM almost nobody does this... except apparently some mass mailer (newsletter) components, like AcyMailing, which were updated immediately after this exploit was made known.

To put things in perspective, setting the From address is not unheard of. We let you do that in Akeeba Ticket System but ONLY if you are a Super User who's configuring support Categories and we do use Joomla's email validation rules. So unless you go and edit your database by hand with the explicit purpose of hacking yourself (which is no different to taking apart a wall socket with a screwdriver with the explicit purpose of electrocuting yourself) you're just fine.

- There is a another way to protect a website globally against this type of exploit.

No. There is no magic bullet. What you should do is employ the standard security best practices: do not run outdated software, always monitor your software for available updates and install them promptly and so on.

In conclusion

This security issue has been blown out of proportion by people who don't really understand how Joomla works. They thought "PHPmailer has a security issue, Joomla uses PHPmailer, ergo Joomla has a security issue". WRONG! Exploiting this vulnerability requires bad data being fed to the PHPmailer library. Joomla's default behavior is to populate this field with safe data, entered and audited by Super Users only. In fact, due to SPF and DKIM, this is probably the only data which will ever really work for sending out an email.

For the more rare, yet legitimate, cases a developer needs a different sender address Joomla provides email validation rules (JFormRuleEmail) which would catch and prevent the malicious data required to exploit PHPMailer. It should be noted that the most fundamental security lesson a developer is taught is something that seems to be taken straight out of The X-Files: "Trust No-one". All user data is to be considered malicious unless proven safe. Developers ignore that mantra at their own (and their clients') risk and peril.

So as long as you use software by reputable developers who know what they are doing AND stay on top of updates you are safe.