Thanks for posting this. I haven't seen much about Magento on HN, though it's got a ton of potential for ecommerce startups. Unfortunately its development has been pretty rocky so far. I added this post to their bug tracker.
I think someone could do very well offering Magento as a hosted service once it matures. Server administration is the cause of a lot of strife, and few online retailers are interested in that.
It's surprising, and a little disappointing, that the original author had not already submitted it.
I've not played around with Magento but my understanding is that it's based on the Zend Framework. Zend_Form has a dedicated element for preventing CSRF attacks: Zend_Form_Element_Hash. That said this looks more like a poor design choice rather than a limitation of the tools/framework used.
Just a word of warning, since the article doesn't make it clear: Using POST is not an effective defense against CSRF. You need to include some sort of unique token in the form.
(Checking the referrer certainly helps, but will cause problems for anyone who has referrers disabled in browser privacy settings or is behind a proxy that strips referrer headers)
I've been working on it daily since October. Compared to osCommerce, Zen Cart and Volusion, Magento is slow and extremely flexible, mostly due to its EAV architecture: http://en.wikipedia.org/wiki/Entity-attribute-value_model. You can bend it to meet various business models (inventory vs drop ship, physical vs downloadable, etc.). Its most unique strength is running multiple sites from the same db (though again, performance becomes an issue).
Interface-wise, Magento is years ahead of the rest. Just visit a demo site.
It does run on the Zend Framework, so studying that (and OO PHP in general) is a requisite for writing modules. The ZF brings sophisticated inheritance logic, both in terms of object overloading and template inheritance. Thus, extending Magento is a breeze compared to other software.
Magento's downsides stem from being young and free. The documentation is hit-or-miss, and the forum is full of FUD from inexperienced users who are attracted to the price tag.
The Magento team has a habit of scrambling a maintenance patch right after a release, which probably means bad QA. If a new release comes out, it's best to wait a couple weeks and watch for x.0.1.
Having a dedicated server with a solid control panel and shell access will be a lifesaver. Crontab control is a must. I'm amazed how many people try to jam this thing on GoDaddy.
I think someone could do very well offering Magento as a hosted service once it matures. Server administration is the cause of a lot of strife, and few online retailers are interested in that.