http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings