The Site Administration -> System Information page (found in admin/systemInfo) contains -amongst other useful things- the database username and password.
This is very 'sensitive' information and thus should either be encrypted by default (much like the login page) OR if no mod_ssl is present/configured, it should be stripped away during parsing of config.inc.php and never displayed in that unencrypted page.
I believe the same applies to OJS as well.
If you share with my concerns, please release a patch (and include it in the next OCS release). I always get anxious when I have to click that link