You could even use JavaScript to automatically send the form or a script on
another server to do the POST request from the back-end. There are many
ways to exploit CSRF, and protecting against it is not that hard.
Remote File Inclusion (RFI)
With Remote file inclusion or code injection, an attacker uses a flaw in your
website to inject code from another server to run on yours. It is in the same
family as XSS but much more problematic because you have full access to
your server (with JavaScript, you can steal cookies and call other code, but
you can’t access the file system without resorting to tricks with Flash or Java
Applets).
Any code injected to your server with an untested variable and include()
command, for example, could run server commands: upload and download
and transfer data to other servers, check your server passwords and user
names, anything you can do on the command line via PHP or ASP if your
server allows for it.
This is probably the worst that can happen to your server, because with
command line access, I could turn it into an attack machine for a server
network attack, silently listen to everything you and your users do on the
server and send it to another Web resource, store information and viruses
for distribution, inject spam links, you name it.
The workaround is to turn off globals and to never ever assemble a URI
from parameter or form data. (More on that later in the PHP section of the
tips.)