Ok, not sure I made too much sense in the above "one-liner".
If the page with the javascript submits the data to http://evil.example.com/evil-script.php, then evil-script.php might include code for sending the data to the punBB-board + spoofing the HTTP_REFERER. After all, the HTTP_REFERER is just a string / HTTP header. If I know the board URL, I know what to include in my spoof-scripts. A HTTP_REFERER check only gives a false feeling of security.
"The most common use of this header is to track how users are finding your site. (...) this information should only be used to satisfy your curiosity (...) it should never be relied upon for any sort of security." - Chris Shiflett, HTTP Developer's Handbook
Wouldn't it be better to include some kind of shared secret between the form and the admin-scripts. One could for instance include a hidden-field in the form - with its value set to some kind of "dynamic"/"secret" content, and then validate the post-data in the admin-scripts afterwards.
Example:
First, generate the value:
<?php $secret = md5(date("Ymdh") . "some kind of secret string"); ?>
(It would probably have to be better than the use of date() above, but it serves as an example of content that you would be able to check later on)
Then, insert it into the form
<input type="hidden" name="secret" value="<?= $secret ?>" />
And finally, in the admin-scripts, you check that a $newly_calculated_value_of_secret == $_POST['secret'].
Make sense?
It's of course not bulletproof, but this way you at least require more effort from the user (to figure out what the $secret is / is calculated from), plus: an evil form wouldn't be valid/useful for long...
