CSRF is "Cross-Site Request Forgery"; it's a simple problem: for many HTML forms, you can craft an IMG tag that will "submit" (via GET) to it. For others, XMLHttpRequest Javascript code can do the same thing for POST. In both cases, the exploit is the same: a "drive-by" form submission from malicious HTML rendered off any web page.
