I can't believe this kind of vulnerability still exists by accident. I remember doing this on a DSL router from the ISP Vivodi about 7-8 years ago and even then I was surprised this could be done.
You would point your browser to the IP address of the router and that would open the router's homepage. Of course there you were required to login and most users would have set up passwords. If you deleted the last part of the homepage URL (which was the filename of the actual html file loaded), you would end up in the parent directory. There, you would see other pages from the interface but most would show error 401. Most, except the page that contains the "upgrade firmware" and "backup/restore settings" command buttons. You pressed the backup button and voila! You had an .xml file with all the settings of the router. In those days, some routers would even show passwords in plaintext in the .xml file. You would see everything from admin passwords, ISP passwords, port forward settings, services used etc.
Even then that struck me as weird because I remembered that flaw from the Netscape browser back in 1999 when we used to do that in many many sites and have fun discovering all sorts of folders and files behind them. I simply cannot believe it is still here in 2015. It's either criminal negligence, or just plain criminal