Below is a small patch I've authored for the QuickPage daemon by Thomas Dwyer III.
The changes as outlined in the CHANGES file are:
Changes to QuickPage from v3.3 to v3.3.1-unleash ------------------------------------------------ Patch by Michael Fincham <email@example.com> - The new "-b" option has been added to specify a bind address for the qpage daemon. - The default user the daemon runs as is now "qpage" instead of "nobody". - To be honest, the -b option doesn't sanitise input very well so don't setuid root the qpage binary or anything dumb like that.
While I haven't identified any specific security issues in the code in many cases there's no point in having qpage listen on 0.0.0.0, so the new "-b" option allows for binding to e.g 127.0.0.1
As a bonus I've also included below a Debian init script to start qpage as a daemon listening on localhost. The package builds to a .deb cleanly with "checkinstall" both with and without the patch supplied here.
QuickPage is supplied under some arbitrary licence that I may not have entirely grokked, so if you feel like I'm violating some term of the licence do let me know.