I'm surprised that ownCloud didn't use a single PHP entrypoint. In PHP software you must restrict access to .php files, that's front controller basis. They really did bad and I'm very disappointed.