There is a way to change the Student Permissions to allow this, however; they then have access to all of the files within that course. This includes any database records, back-ups and general files related to the course itself. I do not feel that this is the best option as students should not be allowed to access this information.
The idea was raised that you could create a course strictly for Forums. This would then allow students to access the course and browse all of the files without much of a security threat as there would not be a gradebook or other files that they can get to. Again, I do not feel this is the way to go as the students may still remove or delete files that need to be kept on the server for the course to run properly. I could see this being an option only if the students are to sign an SLA or are given a course in file management. Just a thought.
One work around that I was able to find, was to create a photo database (or use an existing one such as Flickr) then have then continue to use the URL upload option. This will at least give users a direct link to the picture without causing any security issues. Lastly, they can paste the picture into a Word document and upload that as an attachment. I know these are not ideal circumstances since the idea is to have the picture show within a forum, but a couple extra clicks should not be too detrimental to their Moodle experience.
*holding head in disgust*