From Release Notes - Magento 1.3.0 (March 30, 2009)
Changes> .....CSRF Attack Prevention (added form_key param to all admin Urls)
Would be nice if Magento folks would update Yoav’s blog entry http://www.magentocommerce.com/blog/comments/csrf-vulnerabilities-in-web-application-and-how-to-avoid-them-in-magento/
Keep in mind that a NEW installation of 188.8.131.52 has a string of warnings and notices as far back as v1.1. This includes a warning dated Feb 26, 2009 issued specifically for the described security issue, plus a link to the blog entry.
The warning says:
CSRF Attack Prevention
We have just posted a blog entry about a hypothetical CSRF attack on a Magento admin panel. Please read the post to find out if your Magento installation is at risk at (link)
But...the blog entry offers no analysis on how to find out if your installation is at risk. If taken at face value, the post indicates that all installations are at risk, that there is no current fix, and that you must make hacks to hide the location of your admin pages.
That’s a lot of extra work to be un-done later. Would it really be so hard to clarify the blog post?