TP-Link TL-WDR4300 can run OpenWrt [1], a highly modular Linux distribution meant primarily for routers. If you have one of those routers and you're at all familiar with Linux should really consider upgrading to OpenWrt. Once you've got the web UI set up administering it becomes very similar to configuring "normal" routers.
Unfortunately, stock firmware that comes with a lot routers has just been no good even if it lacked gaping security holes like this. Fortunately, there are community-developed FOSS alternatives that offer a better user experience; I imagine that having more eyes on the source also helps their security. I use TomatoUSB [2] on my main router (Asus RT-N66U) and OpenWrt on the "experimental" one (TP-Link TL-MR3020) and can highly recommend both distributions.
I like Gargoyle firmware, which is based on OpenWrt. It has a simpler interface with QoS ready to go. The experimental version 1.5.9 has CoDel built in. So far the router seems to be handling VoIP better than the Asus RT-N16 running Shibby's TomatoUSB firmware.
TPLink routers are great for custom firmware, I use to run DD-WRT but now run OpenWRT.
OpenWRT takes a little longer to get setup but once you do it runs perfectly and doesn't require any changes (I've been running mine for over a year without a hitch, before that years with ddwrt).
A thumbs up for OpenWrt. I had been running a D-Link DIR655 before I got my WDR4300 setup with OpenWRT. Moving to OpenWRT fixed a good amount of problems I had been having with zeroconf announced services on my local zeroconf services. Netatalk, specifically, would only work for the first hour or so on the DIR655, but with OpenWRT on the WDR4300 it works perfectly.
The configuration is really quite fantastic, and you can do pretty much anything you could want.
More specifically, http://www.dd-wrt.com/ is fantastic, based on the OpenWRT kernel. I use it on all my routers now. I've been using it on my routers since 2006.
I was having major issues after two years, only last week, with an old Buffalo Wireless-N router. I switched over to DD-WRT last week and all was cured, and I'm getting better wireless performance.
The major vuln aside -- are they seriously running Apache the router?
"/usr/bin/httpd" sure looks to me like Apache (but could of course be anything). Heard of Nginx or Lighttpd (or countless other lightweight web servers)?
Who said anything about magic? Apache's default config is crappy and it's a bloated web server. It will bring down any VPS to swap of death unless you lower MaxClient etc with even moderate amount of traffic.
More modern web servers (and more lightweight) don't have that problem. They work for most configuration out-of-the-box (and perform better).
I don't know how Apache is configured on this particular router, but I can spot ten httptd-processes in on the process listing. So yes, Apache is likely both a bad choice to start with and beyond that, it is also poorly configured.
My RT-N16 died just past warranty - something with the power; it'd only power on maybe 1 out of 25 times of sticking the adapter plug in. :/ Until that happened I'd been quite a fan and it ran custom firmware quite contentedly.
Currently I'm running a Netgear Centria WNDR4700 (it was a freebie for various reasons) and it has the lovely habit of storing user names and passwords in plain text (file share user names and passwords are displayed in plain text, and they're always the same as login names and passwords so far as I can tell). Unfortunately I'm not aware of any custom firmwares for it. :(
I have a TP-LINK TL-WDR3500 buried in my closet. I hadn't realized it might work with custom firmware. The physical ports being 10/100 would still be annoying, but it might be worth looking into flashing it. Glad I saw this post. =)
I know it really isn't relevant to the vulnerability, but it bugs the crap out of me to see somebody running commands as root when they don't need to... Does this bother anyone else?
It doesn't bother me. Sometimes it's just more convenient not having to type sudo with every command. Especially if it's a throw away VM/host that you're experimenting with. YMMV.
As I keep the root account disabled (for interactive login), yes, it bugs me too.
But my inherent laziness is exactly why I keep it disabled. If I left it enabled I'd constantly just su instead of thinking about what it is I am doing and sudo only the relevant bits.
I just ordered this router knowing about this backdoor. I'm planning to install OpenWrt as soon as it arrives, which I recommend to anyone, as it was pointed in other comments.
You need access to the HTTP server to hit that URL, which means it won't work over LAN unless you enabled remote management. Don't enable remote management on your router :)
Unfortunately, stock firmware that comes with a lot routers has just been no good even if it lacked gaping security holes like this. Fortunately, there are community-developed FOSS alternatives that offer a better user experience; I imagine that having more eyes on the source also helps their security. I use TomatoUSB [2] on my main router (Asus RT-N66U) and OpenWrt on the "experimental" one (TP-Link TL-MR3020) and can highly recommend both distributions.
[1] http://wiki.openwrt.org/toh/tp-link/tl-wdr4300
[2] http://tomatousb.org/