Seems like the attacker would have to know the default IP of your router. I always change mine from the typical defaults.

It's not obvious from the post whether or not this would affect other open source firmware, including Tomato. The others may have their own httpd or even if they share code, may have implemented some URL sanitization.