Hi,
I have been doing some custom development work against nop 3.5 and I think I have found a CSRF vulnerability in the Admin portal.
I have setup a demo site @ http://benevolent-kitten.neocities.org to demonstrate the attack leveraged against the demo admin portal @ http://admin-demo.nopcommerce.com/
The step to reproduce the attack are (note this was tested in Google Chrome);
1) Go to (http://admin-demo.nopcommerce.com/Admin/GiftCard/List) nop demo admin portal and login. (Email:[email protected] Password:admin)
2) Take a note of the gift card count.
3) Go to (http://benevolent-kitten.neocities.org/).
4) Go to gift card list page again (http://admin-demo.nopcommerce.com/Admin/GiftCard/List) and see the new gift card.
The issue here is if a user with authorization to edit gift cards is socially engineered into visiting http://benevolent-kitten.neocities.org/ they will unknowingly create a new gift card. I am sure with a little thought you could engineer a much less benign attack.
Nick