SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the «username» parameter in the component «chkuser.php».