The xmlrpc.cgi script has two errors.
One is that it uses $< rather than $> to determine the user. It doesn't make much difference who the real users is; if the effective UID is root (say, in the case of a suid root script), it should probably go ahead and run.
The other related (and minor) issue is that the error messages references xmlrpc.pl, when the script has actually been renamed to xmlrpc.cgi. But as long as you're on that line... :)
For the record, I found this trying to diagnose why I can't seem to make RPC calls against a custom module which uses DBI in my "running Webmin under Apache" environment, so it's unlikely to impact the typical user. But it seems worth reporting none the less.