Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.
For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email email@example.com.
CSRF Vulnerability in Web Applications (and how to avoid it in the Magento Admin)
In a recent blog post on artisansystem.com there is a description of a CSRF hypothetical attack on a Magento admin. It is important to note that for this attack to be possible, the attacker must know the admin path (frontName). If this is unknown to the attacker, the attack will result in a noroute and will not cause any harm.