D-Link closes hole

An administrative backdoor in D-Links SOHO broadband routers has been closed.



The vendor promised to patch it by the end of October.

The patch has now been issued here.

All an attacker needs to do is to set their browser user agent string to read xmlset_roodkcableoj28840ybtide. This drops them directly into the admin page without a login.
Only turning off remote administration would protect the device.

It is possible that someone dropped the code during development and forgot to remove it.

*note: read the script backwards.