Can think of only one instance in which database credentials could be 'exposed' ... more like 'acquired remotely' by un-authorized access. Did some 'ethical/whitehat hacking' once and discovered this ...
IF php is broken, any index.php file doesn't render pre-hypertext processed, but what appears to be a mix of html and confused state. Apache server treats .php files as text ... doesn't pre-hypertext process them. So, someone could acquire config.php file using any command line app like wget, curl, etc..
Example wget http://site/config.php https:// could also be used. Nothing to stop that. Only diff in those two is http not encripted when data sent over the wire and in https the data is encripted but the data has to be un-encripited on the rec. end. Anyone using a browser pointed to config.php won't display anything cause there's nothing a browser would understand. But, the file would be in cache.
Once config.php is acquired one can open it in a text file editor. One will see then, the DB server, the DB, DB user, DB password for that user. **IF** the installer used the same user as the root user for the operating system with the same password for the config of MySQL, then that's a big hole. And, **IF** ssh is opened on server with no restrictions as to IP address, then anyone could use ssh, use the root user name, with root password found in the config.php file to gain shell access as the root user.
So, never use root as DB user. Never use the same password for the shell root user in the config of MySQL. And when one sets up the admin user in Moodle, don't use root, and don't use the root users password.
'spirit of sharing' ... and 'whitehat hacking',
Ken