There are a number of possibilities like file permissions as you mention. There are plenty to be set and then reversed during post-install sometimes one of them is missed or overlooked by accident.

You mentioned register globals last time I installed dolphin for someone at hostmonster register globals was indeed off by default.

There are some hacks out there that attempt to set globals.

It's a remote possibility that another account holder on the same server has a hack that they gained access see more to other files on the same server.

There are tons of rfi's that hit sites all the time.

Some people also give out hosting access, ftp access, and dolphin admin panel access, whether it be for a mod install or a fix or whatever. Then, they forget to change the passwords after the work is completed.

There is also the possibility that someone found another exploit in dolphin. Script makers often make claims about how safe and secure their script is, but sometimes you need to help it out. Keep it up-to-date and patched, read up on security and how to help protect it and block things. There are a number of things you can do with .htaccess. Check your logs and stats for suspicious activity.

Does someone hate you or your site. You would be surprised what some will do when they really don't like someone or some site. The more you put your domain name out there the more likely someone will try to compromise and exploit it.

I know some folks that have an account with hostmonster and they have never mentioned any problems with hacks.

Anyway good luck to you.