The site is back online. If anyone cares, here's what happened:

PHP comes with one of the worst security risks known to man, "register globals". When this is turned on, any parameters you pass in the URL overwrite global variables with the same name in your PHP. Now, imagine that your CMS relies on a global variable that specifies a directory where it can find its config from, and that this location can also be a URL (i.e. can reference a file on another webserver). Yep, that's right: simply specify a URL parameter and you can execute arbitrary PHP on the webserver.

So, everyone turns off register globals. Unfortunately, this breaks a lot of poorly written Joomla components. So the clever people at Joomla invented register globals emulation, and turned it on by default, because obviously having some components not working is far far worse than leaving a gaping security hole in your CMS.

Paul