Translations:Manual:$wgEnableUploads/9/en

Note that a web server writable directory is not insecure in itself, but can be thought of as the first half of a successful attack to your web server, as such you might like to explore alternatives using img_auth.php