PHP::in_array() Type Juggling

<?php
function __autoload($className) {
    include $className;
}

$controllerName = $_GET['c'];
$data = $_GET['d'];

if (class_exists($controllerName)) {
    $controller = new $controllerName($data);
    $controller->render();
} else {
    echo 'There is no page with this name';
}

class HomeController {
    private $data;

    public function __construct($data) {
        $this->data = $data;
    }

    public function render() {
        if ($this->data['new']) {
            echo 'controller rendering new response';
        } else {
            echo 'controller rendering old response';
        }
    }
}
?>

First vulnerability in line 9, according to PHP manual.

#class_exists

class_exists - This function checks whether or not the given class has been definded

class_exists ( string $class_name, bool $autoload = true) : bool

##Parameter

class_name
The class name. THe name is matched in a case-insensitive manner.

auto_load
Whether or not to call __autoload by default

In this case, the class_exists function will check if the controller name we pass in is a valid, but it will first have to called the autoload function making sure all the function is loaded. When this happens, it actually includes the unknown $classname parameter we passed in.