possible exploit: D-Link DI-804 unauthorized DHCP release from WAN

[Jens Jensen <jpj () netcom-usa com>]

Problem: malicious user can release DHCP client on D-Link DI-804 router 
interrupting network communications

I need some other D-Link DI-804 users (as well as other dlink routers) to
see if they can reproduce this problem--
With "remote administration" mode enabled to any IP (web interface wide 
open
on WAN side), It seems that a malicious user can activate DHCP
release/renew without first being authenticated as the admin (priviledged
user)

the webpage that I can get to on the dlink built in web interface is
http://xxx.xxx.xxx.xxx/release.htm
where xxx.xxx.xxx.xxx is the ip address of your router, specifically for
these purposes, the wan ip address

firmware: 4.68
device: DI-804

This would be a BAD thing, since an attacker could interrupt communications
on the router
This can be temporarily fixed by either disabling "remote administration" 
or limiting the IP addresses allowed to remote admin.
I have submitted this to D-Link support.
I'm also wondering what other D-Link routers this could affect.

Jens Jensen
MCP, CCNA